| Package | python-django |
|---|---|
| Version | 1:1.11.29-1+deb10u12 (buster) |
| Related CVEs | CVE-2024-41989 CVE-2024-41991 CVE-2024-42005 |
(Release for buster only)
A number of vulnerabilities were discovered in Django, a popular Python-based web development framework:
-
CVE-2024-41989: The
floatformattemplate filter was subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. -
CVE-2024-41991: Fix an issue where the
urlizeandurlizetrunctemplate filters (as well as theAdminURLFieldWidgetwidget) were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. -
CVE-2024-42005: Fix an issue where the
QuerySet.values()andvalues_list()methods on models with aJSONFieldswere subject to a SQL injection attack through column aliases via a crafted JSON object key.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u12.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.