[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235

Chris Lamb lamby at debian.org
Tue Aug 6 10:03:54 BST 2019 

Package: python-django
Version: 1.7.11-1+deb8u6
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

CVE-2019-14232[0]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's
| chars() and words() methods were passed the html=True argument, they
| were extremely slow to evaluate certain inputs due to a catastrophic
| backtracking vulnerability in a regular expression. The chars() and
| words() methods are used to implement the truncatechars_html and
| truncatewords_html template filters, which were thus vulnerable.


CVE-2019-14233[1]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying
| HTMLParser, django.utils.html.strip_tags would be extremely slow to
| evaluate certain inputs containing large sequences of nested
| incomplete HTML entities.


CVE-2019-14234[2]:
SQL injection possibility in key and index lookups for JSONField/HStoreField

CVE-2019-14235[3]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs,
| django.utils.encoding.uri_to_iri could lead to significant memory
| usage due to a recursion when repercent-encoding invalid UTF-8 octet
| sequences.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14232
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
[1] https://security-tracker.debian.org/tracker/CVE-2019-14233
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
[2] https://security-tracker.debian.org/tracker/CVE-2019-14234
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234
[3] https://security-tracker.debian.org/tracker/CVE-2019-14235
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-

More information about the Python-modules-team mailing list