Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0600
python-django security update
2 February 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-23969
Original Bulletin:
https://www.debian.org/lts/security/2023/dla-3306
Comment: CVSS (Max): 7.5 CVE-2023-23969 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3306-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 01, 2023 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python-django
Version : 1:1.11.29-1+deb10u6
CVE ID : CVE-2023-23969
Debian Bug : 1030251
It was discovered that there was a potential Denial of Service (DoS)
vulnerability in Django, a popular Python-based web development
framework.
Parsed values of the Accept-Language HTTP headers are cached by
Django order to avoid repetitive parsing. This could have led to a
potential denial-of-service attack via excessive memory usage if the
raw value of Accept-Language headers was very large.
Accept-Language headers are now limited to a maximum length
specifically in order to avoid this issue.
For Debian 10 buster, this problem has been fixed in version
1:1.11.29-1+deb10u6.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPas3QACgkQHpU+J9Qx
Hli1Og/7B8s2uMO1ahWujL1r5QXTRlDpAjWOHlsuNtktw/RfDpnSBicQnrbH5ay/
GN8+ok+ZYevMdpz08fHJ01IMWhjR2xT1k0ZMA7EZR8ZzlihWieOBUIxi1aeCeioM
iLOwHLEMEKVn0IeDtfu3QWidILCy//5SljTkifTt/J/bOuMfOSbKS+N6QOw6+EH1
vMS17MRJLpqCgEsPc66bXPXQKfEqvM0NuXVDtLml7FxFbjOb0Vpm18NL6uaKva0f
cq32bzdHT5eoYcoSrdoiwpyAi7FkutZMV67x1KVE3+HcbpvlUyHDcNomnGmGmAfT
S+hjQPtGnB4XnIfLEv7ryD0bBV+nfjbAKp9gHN6JIkOHLVtXDM8DmR9NJt4X/Q6w
rQ4PtFbVSlUyAPzWXUjh2kZ2Ll4VFqruRhc96Lp3ALH4UYhnmUPFBkgCfoJyz/qs
7InRlLOzu5uV4E9lUq8CSUgGZQdQ8H0Zyn5B6pACq4R3dzabpNYpYP+sB83/fjYe
mN3+Ma0Ji/lZoF0EowTiRyGeM+6k/yoD74iO24hsiVr0nQwcMcRGcarUZYghhm2i
vbOkW3tsl6l0wKhfQAlvrIPTzR2qMfK10CmRaxOINj4S71W8xv8toxCGFv7LLKsZ
dxB9PxD6vkxZgK+w3Ded2qMw9T/KSsfISQXl02ZKJktLfIIes6k=
=/dA+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY9s5x8kNZI30y1K9AQi1vg//Qlg/tkXWc3Gw0lQZt0DXbIMSZkYbza2l
erO2W5EycHV4ZmRPuun1pFH51b+/MfLPDqL8Pjg9Exj449TwT+NbIGMXZFpIDOVn
dWF+ai1yKnS9lO9u7CUBfNJZsQNnBrddMkXGaGBgeGC6cuU7xZwhZB7ploz1hh2t
coAK4rZE1o/JyJkGeH7ctWI4dN0myj03stfhrs+eERKNahXdg45UXnKtDkWA4hCY
Dr5L8Mn6IoSe4TDifi1oTxOneA7iIS3S1q5rPBhY+6YPogA/y3VPhq1HCCEO+qGw
Mu3ptCbUuq5oQSXJwA9JUGRLrV51f6OrakhE8o2c900kxYM2F2b3aGJqd3i7Izid
y4R6wn97WMdJLLJSzYPAE5ti7DwRaButfQ1FMLpHUofssygzrYyFMXZ7oXaLQ9V2
4Hedyvg88hI/eErYuJv1urJ4gJhasDmz900cl/S2TxD1+LoNQoH93pN+xAm7ArMq
9DXjiuDBNZmL/rtAELaogWT40GboFPlfj1uGk1Ig4M30KOK056tEheGzLXnfvR8L
wPfiowW2sL7urC4uJSPioMURvdRBAkVmIA98wF1gsqgOgf9om+ODVauNqkkAnJYv
8Yd6bKjiD9Vt4oFDClNC5xJ5ANz0TmbQd+Se5JBCCBghGpW3UPBNIISbdQcbs731
MkHrPbF0jRs=
=oWEw
-----END PGP SIGNATURE-----