| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u26 (stretch), 1:1.11.29-1+deb10u15 (buster) |
| Related CVEs | CVE-2023-43665 CVE-2024-24680 CVE-2025-32873 |
A number of vulnerabilities were found in Django, a Python-based web-development framework:
-
CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.Following the fix for CVE-2019-14232, the regular expressions used in the implementation of
django.utils.text.Truncator’schars()andwords()methods (withhtml=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. Thechars()andwords()methods are used to implement thetruncatechars_htmlandtruncatewords_htmltemplate filters, which were thus also vulnerable. The input processed byTruncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. -
CVE-2024-24680: Potential denial-of-service in
intcommatemplate filter. Theintcommatemplate filter was subject to a potential denial-of-service attack when used with very long strings. -
CVE-2025-32873: Denial-of-service possibility in
strip_tags().django.utils.html.strip_tags()would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement thestriptagstemplate filter, which was therefore also vulnerable.strip_tags()now raises aSuspiciousOperationexception if it encounters an unusually large number of unclosed opening tags.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u15.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u26.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.