Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5837-1

Ubuntu Security Notice 5837-1 - Nick Pope discovered that Django incorrectly handled certain Accept-Language headers. A remote attacker could possibly use this issue to cause Django to consume memory, leading to a denial of service.

Packet Storm
#vulnerability#web#ubuntu#dos

==========================================================================
Ubuntu Security Notice USN-5837-1
February 01, 2023

python-django vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS

Summary:

Django could be made to consume memory if it received specially crafted
network traffic.

Software Description:

  • python-django: High-level Python web development framework

Details:

Nick Pope discovered that Django incorrectly handled certain
Accept-Language headers. A remote attacker could possibly use this issue to
cause Django to consume memory, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
python3-django 3:3.2.15-1ubuntu1.1

Ubuntu 22.04 LTS:
python3-django 2:3.2.12-2ubuntu1.4

Ubuntu 20.04 LTS:
python3-django 2:2.2.12-1ubuntu0.15

Ubuntu 18.04 LTS:
python-django 1:1.11.11-1ubuntu1.19
python3-django 1:1.11.11-1ubuntu1.19

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5837-1
CVE-2023-23969

Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:3.2.15-1ubuntu1.1
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.4
https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.15
https://launchpad.net/ubuntu/+source/python-django/1:1.11.11-1ubuntu1.19

Related news

Debian Security Advisory 5465-1

Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.

Red Hat Security Advisory 2023-2097-03

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

Red Hat Security Advisory 2023-2101-01

Red Hat Security Advisory 2023-2101-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include denial of service and remote shell upload vulnerabilities.

RHSA-2023:2101: Red Hat Security Advisory: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....

GHSA-q2jf-h9jm-m7p4: Django contains Uncontrolled Resource Consumption via cached header

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

CVE-2023-23969: Django

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Ubuntu Security Notice USN-5837-2

Ubuntu Security Notice 5837-2 - USN-5837-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 16.04 ESM. Nick Pope discovered that Django incorrectly handled certain Accept-Language headers. A remote attacker could possibly use this issue to cause Django to consume memory, leading to a denial of service.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution