Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0600 python-django security update 2 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-23969 Original Bulletin: https://www.debian.org/lts/security/2023/dla-3306 Comment: CVSS (Max): 7.5 CVE-2023-23969 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/ - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3306-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb February 01, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python-django Version : 1:1.11.29-1+deb10u6 CVE ID : CVE-2023-23969 Debian Bug : 1030251 It was discovered that there was a potential Denial of Service (DoS) vulnerability in Django, a popular Python-based web development framework. Parsed values of the Accept-Language HTTP headers are cached by Django order to avoid repetitive parsing. This could have led to a potential denial-of-service attack via excessive memory usage if the raw value of Accept-Language headers was very large. Accept-Language headers are now limited to a maximum length specifically in order to avoid this issue. For Debian 10 buster, this problem has been fixed in version 1:1.11.29-1+deb10u6. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPas3QACgkQHpU+J9Qx Hli1Og/7B8s2uMO1ahWujL1r5QXTRlDpAjWOHlsuNtktw/RfDpnSBicQnrbH5ay/ GN8+ok+ZYevMdpz08fHJ01IMWhjR2xT1k0ZMA7EZR8ZzlihWieOBUIxi1aeCeioM iLOwHLEMEKVn0IeDtfu3QWidILCy//5SljTkifTt/J/bOuMfOSbKS+N6QOw6+EH1 vMS17MRJLpqCgEsPc66bXPXQKfEqvM0NuXVDtLml7FxFbjOb0Vpm18NL6uaKva0f cq32bzdHT5eoYcoSrdoiwpyAi7FkutZMV67x1KVE3+HcbpvlUyHDcNomnGmGmAfT S+hjQPtGnB4XnIfLEv7ryD0bBV+nfjbAKp9gHN6JIkOHLVtXDM8DmR9NJt4X/Q6w rQ4PtFbVSlUyAPzWXUjh2kZ2Ll4VFqruRhc96Lp3ALH4UYhnmUPFBkgCfoJyz/qs 7InRlLOzu5uV4E9lUq8CSUgGZQdQ8H0Zyn5B6pACq4R3dzabpNYpYP+sB83/fjYe mN3+Ma0Ji/lZoF0EowTiRyGeM+6k/yoD74iO24hsiVr0nQwcMcRGcarUZYghhm2i vbOkW3tsl6l0wKhfQAlvrIPTzR2qMfK10CmRaxOINj4S71W8xv8toxCGFv7LLKsZ dxB9PxD6vkxZgK+w3Ded2qMw9T/KSsfISQXl02ZKJktLfIIes6k= =/dA+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9s5x8kNZI30y1K9AQi1vg//Qlg/tkXWc3Gw0lQZt0DXbIMSZkYbza2l erO2W5EycHV4ZmRPuun1pFH51b+/MfLPDqL8Pjg9Exj449TwT+NbIGMXZFpIDOVn dWF+ai1yKnS9lO9u7CUBfNJZsQNnBrddMkXGaGBgeGC6cuU7xZwhZB7ploz1hh2t coAK4rZE1o/JyJkGeH7ctWI4dN0myj03stfhrs+eERKNahXdg45UXnKtDkWA4hCY Dr5L8Mn6IoSe4TDifi1oTxOneA7iIS3S1q5rPBhY+6YPogA/y3VPhq1HCCEO+qGw Mu3ptCbUuq5oQSXJwA9JUGRLrV51f6OrakhE8o2c900kxYM2F2b3aGJqd3i7Izid y4R6wn97WMdJLLJSzYPAE5ti7DwRaButfQ1FMLpHUofssygzrYyFMXZ7oXaLQ9V2 4Hedyvg88hI/eErYuJv1urJ4gJhasDmz900cl/S2TxD1+LoNQoH93pN+xAm7ArMq 9DXjiuDBNZmL/rtAELaogWT40GboFPlfj1uGk1Ig4M30KOK056tEheGzLXnfvR8L wPfiowW2sL7urC4uJSPioMURvdRBAkVmIA98wF1gsqgOgf9om+ODVauNqkkAnJYv 8Yd6bKjiD9Vt4oFDClNC5xJ5ANz0TmbQd+Se5JBCCBghGpW3UPBNIISbdQcbs731 MkHrPbF0jRs= =oWEw -----END PGP SIGNATURE-----