| Package | python-django |
|---|---|
| Version | 1.7.11-1+deb8u21 (jessie) |
| Related CVEs | CVE-2023-43665 |
A potential denial-of-service vulnerability was uncovered in Django, a popular Python-based web-development framework.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation would
still be slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were thus
also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
For Debian 8 jessie, these problems have been fixed in version 1.7.11-1+deb8u21.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.