releasing package python-django version 1:1.11.29-1+deb10u15

debian/changelog

+python-django (1:1.11.29-1+deb10u15) buster-security; urgency=high
+
+  * Non-maintainer upload by the ELTS security team.
+  * CVE-2023-43665: Address a denial-of-service possibility in
+    django.utils.text.Truncator. Following the fix for CVE-2019-14232, the
+    regular expressions used in the implementation of
+    django.utils.text.Truncator’s chars() and words() methods (with html=True)
+    were revised and improved. However, these regular expressions still
+    exhibited linear backtracking complexity, so when given a very long,
+    potentially malformed HTML input, the evaluation would still be slow,
+    leading to a potential denial of service vulnerability. The chars() and
+    words() methods are used to implement the truncatechars_html and
+    truncatewords_html template filters, which were thus also vulnerable.  The
+    input processed by Truncator, when operating in HTML mode, has been limited
+    to the first five million characters in order to avoid potential
+    performance and memory issues.
+  * CVE-2024-24680: Potential denial-of-service in intcomma template filter.
+    The intcomma template filter was subject to a potential denial-of-service
+    attack when used with very long strings.
+  * CVE-2025-32873: Denial-of-service possibility in strip_tags().
+    django.utils.html.strip_tags() would be slow to evaluate certain inputs
+    containing large sequences of incomplete HTML tags. This function is used
+    to implement the striptags template filter, which was therefore also
+    vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
+    encounters an unusually large number of unclosed opening tags.
+    (Closes: #1104872)
+
+ -- Chris Lamb <lamby@debian.org>  Fri, 13 Jun 2025 11:15:47 -0700
+
 python-django (1:1.11.29-1+deb10u14) buster-security; urgency=high
 
   * CVE-2025-26699: Prevent a potential denial-of-service in the wrap()