| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u29 (stretch), 1:1.11.29-1+deb10u18 (buster) |
| Related CVEs | CVE-2021-32052 CVE-2024-27351 CVE-2019-14232 CVE-2024-39614 CVE-2024-45231 |
Multiple vulnerabilities were discovered in Django, the Python-based web development framework:
-
CVE-2021-32052: Header injection possibility since
URLValidatoraccepted newlines in input on Python 3.9.5+. -
CVE-2024-27351: Fix a potential regular expression denial-of-service (“ReDoS”) attack in
django.utils.text.Truncator.words. This method (withhtml=True) and thetruncatewords_htmltemplate filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665. -
CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided toget_supported_language_variantis now parsed up to a maximum length of 500 characters. -
CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetFormclass allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using thedjango.contrib.authlogger.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u18.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u29.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.