Operating System:

[Debian]

Published:

09 August 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3027
               python-django security update for Debian LTS
                               9 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          python-django
Publisher:        Debian
Operating System: Debian GNU/Linux 8
Impact/Access:    Denial of Service -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2019-14233 CVE-2019-14232 

Reference:        ESB-2019.2894

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.7.11-1+deb8u7
CVE IDs        : CVE-2019-14232 CVE-2019-14233
Debian Bug     : #934026

It was discovered that there were two vulnerabilities in the
Django web development framework:

  * CVE-2019-14232: Prevent a possible denial-of-service in
    django.utils.text.Truncator.

    If django.utils.text.Truncator's chars() and words() methods were
    passed the html=True argument, they were extremely slow to
    evaluate certain inputs due to a catastrophic backtracking
    vulnerability in a regular expression.  The chars() and words()
    methods are used to implement the truncatechars_html and
    truncatewords_html template filters, which were thus vulnerable.

    The regular expressions used by Truncator have been simplified in
    order to avoid potential backtracking issues. As a consequence,
    trailing punctuation may now at times be included in the
    truncated output.

  * CVE-2019-14233: Prevent a possible denial-of-service in strip_tags().

    Due to the behavior of the underlying HTMLParser,
    django.utils.html.strip_tags() would be extremely slow to
    evaluate certain inputs containing large sequences of nested
    incomplete HTML entities. The strip_tags() method is used to
    implement the corresponding striptags template filter, which was
    thus also vulnerable.

    strip_tags() now avoids recursive calls to HTMLParser when
    progress removing tags, but necessarily incomplete HTML entities,
    stops being made.

    Remember that absolutely NO guarantee is provided about the
    results of strip_tags() being HTML safe. So NEVER mark safe the
    result of a strip_tags() call without escaping it first, for
    example with django.utils.html.escape().

For Debian 8 "Jessie", these has been fixed in python-django version
1.7.11-1+deb8u7.

We recommend that you upgrade your python-django packages. You can
find more information in upstream's announcement:

  https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Thanks to Carlton Gibson et al. for their handling of these issues.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1JTwwACgkQHpU+J9Qx
HlhaaBAArc9i9Mi9GP3FMdogAsB7l/BoDTFYeZKp++xfTxey/EF6k0tm9yuxIG7e
mtzpcZfFnXmRm3OG98WNRZsIUm3D/Lq4bAZYCjoMOkfuC3aAlP9xDupBPD2UI5lz
OTurCJqMiL3ucgn/UwWikflpIzGP97GRqeKW01bNEx5G3v5yV6fmDg3QYt7a/dUd
z6SLdxBkjqpjP2ylY04eRa8Fa1McGgqtsC3u1Rfz47OyRlB3oJgOYgBf2XwqqC7A
leT1PdSdLQHwFmEHt2EuT0kEdKjiV2Ef4E6T3n+bAgEXx5blPhb0+AWycAbN9j8B
n1VJoGPnXRxzFIMvKUQ8VBfQDJL1sFoTVsQ5a4Goy99C2Sdz6hv0Wlmi1Mx+Nzjb
YtgRWYF9NbCbzziZZ5y+87BPKDPuIw43oeULeng/SfnQavsBMlZn0WG0+diArU/i
+KAE8xBKuRKeUVMdIe2ryP2uuTDL6RxFeW/qkaEgbEvgSXXTzBPaUU3oi7iLE+w9
2exrLP5o0LZXeJHoceaexuS9iuC6XoEgleFiQfo1d4DpQjb19yrPWU9kfesyxPVw
PWyU17gplkKhJv+zzUjH483BhmQI6nl+Jo1AaEeIelvZ8Js3ncvvPFjnmUQhweGt
ruTk8537/dpT57uEEtg7XmCe+L82GJg+U6pxpx0ggZO0GziIEMk=
=ZinI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUyooGaOgq3Tt24GAQjIUA/+Jhzr/kB/ivOsvhZJLH80XFMgdSzmUO4P
nfJFDfq6rfM3ijtEWbA1Cay1YXollCCQN4PUVsJB+G8K/wEQGeD7Wph9z/xk8Gus
hDyhG9jGkTTJItZ9lQUpyFHiGcrIkvA5fJtl+X5E0WeOUQEv5IXBfEJ/sEHuaP99
6R296y5oTvESJybPStoeudPpFu6KgfaZ1u10yd2kRL+YgxAhxKbhP7/xTMaPNOxm
KrHgv2mZCHkTxsQch2pg9pk4BgiBdMcEvupdoPisyVW/6xevwVHBEL3YyiO38YZR
4/DHPW2SPSCOy3J98t4EAWclskW6SnD+Dx4/GowlxbyMmOD+6beszhs13GIytjF8
zlOzr8av1S+qdMZ15Tx8ITQ6VpyCfURCJ1vtzL6qmbiEtwfmWEvzgojs37CtgzH2
ylNaKI+SW5N02XSN3UVk8H1PjJ4Wk65XREqVbsuSjZQsGmGlNUPa4n0CNnVdeuRb
2wXS6afnLUAv9W3HMHfi4z1Q39d9w/wbjJ1iDWn5KgMWfYtKx2M9tssbx/QMM6su
8DpGviSiNJiyiNl9AaSpsQsuKAl7WIsj6who+F5UO8+wJPis1A2YaXCmPGr9cMsw
6KZuiely4TI23lxjAKoUQ0WnxsFuBu54/vARGIN5xzryJTIVeGHEDfyyA6kiaTvj
6/09mkqYcec=
=TxV8
-----END PGP SIGNATURE-----