releasing package python-django version 2:2.2.28-1~deb11u7

d5ec4e00 · Chris Lamb · 9fe44006 · d5ec4e00
Commit d5ec4e00 authored 2 months ago by Chris Lamb
--- a/debian/changelog
+++ b/debian/changelog
+python-django (2:2.2.28-1~deb11u7) bullseye-security; urgency=high
+
+  * CVE-2025-48432: Potential log injection via unescaped request path.
+
+    Django's internal HTTP response logging used request.path directly,
+    allowing control characters (e.g. newlines or ANSI escape sequences) to
+    be written unescaped into logs. This could enable log injection or
+    forgery, letting attackers manipulate log appearance or structure,
+    especially in logs processed by external systems or viewed in terminals.
+    (Closes: #1107282)
+
+  * CVE-2025-32873: Denial-of-service possibility in strip_tags()
+
+    django.utils.html.strip_tags() would be slow to evaluate certain inputs
+    containing large sequences of incomplete HTML tags. This function is used
+    to implement the striptags template filter, which was therefore also
+    vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
+    encounters an unusually large number of unclosed opening tags.
+    (Closes: #1104872)
+
+  * CVE-2023-41164: Potential denial of service vulnerability in
+    django.utils.encoding.uri_to_iri(). This method was subject to potential
+    denial of service attack via certain inputs with a very large number of
+    Unicode characters. (Closes: #1051226)
+
+  * CVE-2023-43665: Address a denial-of-service possibility in
+    django.utils.text.Truncator.
+
+    Following the fix for CVE-2019-14232, the regular expressions used in the
+    implementation of django.utils.text.Truncator’s chars() and words()
+    methods (with html=True) were revised and improved. However, these
+    regular expressions still exhibited linear backtracking complexity, so
+    when given a very long, potentially malformed HTML input, the evaluation
+    would still be slow, leading to a potential denial of service
+    vulnerability.
+
+    The chars() and words() methods are used to implement the
+    truncatechars_html and truncatewords_html template filters, which were
+    thus also vulnerable.
+
+    The input processed by Truncator, when operating in HTML mode, has been
+    limited to the first five million characters in order to avoid potential
+    performance and memory issues.
+
+  * CVE-2024-24680: Potential denial-of-service in intcomma template filter.
+    The intcomma template filter was subject to a potential denial-of-service
+    attack when used with very long strings.
+
+  * CVE-2024-27351: Fix a potential regular expression denial-of-service
+    (ReDoS) attack in django.utils.text.Truncator.words. This method (with
+    html=True) and the truncatewords_html template filter were subject to a
+    potential regular expression denial-of-service attack via a suitably
+    crafted string. This is, in part, a follow up to CVE-2019-14232 and
+    CVE-2023-43665.
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 05 Jun 2025 15:40:11 -0700
+
 python-django (2:2.2.28-1~deb11u6) bullseye-security; urgency=medium

  * CVE-2025-26699: Prevent a potential denial-of-service in the wrap()