| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u22 (stretch) |
| Related CVEs | CVE-2023-36053 CVE-2023-43665 CVE-2024-24680 |
Three vulnerabilities were fixed in python-django, a popular Python-based web
development framework:
-
CVE-2023-36053: Prevent a potential regular expression denial of service (DoS) vulnerability in
EmailValidatorandURLValidator.EmailValidatorandURLValidatorwere subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. -
CVE-2023-43665: Fix a DoS vulnerability in
django.utils.text.Truncator. Following the fix for CVE-2019-14232, the regular expressions used in the implementation ofdjango.utils.text.Truncator’schars() andwords() methods were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. -
CVE-2024-24680: Prevent a potential DoS in the
intcommatemplate filter. Theintcommatemplate filter was subject to a potential denial-of-service attack when used with very long strings.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u22.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.