Headline
Ubuntu Security Notice USN-6414-1
Ubuntu Security Notice 6414-1 - Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
==========================================================================
Ubuntu Security Notice USN-6414-1
October 04, 2023
python-django vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Django could be made to consume resources or crash if it received specially
crafted network traffic.
Software Description:
- python-django: High-level Python web development framework
Details:
Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
python3-django 3:3.2.18-1ubuntu0.5
Ubuntu 22.04 LTS:
python3-django 2:3.2.12-2ubuntu1.9
Ubuntu 20.04 LTS:
python3-django 2:2.2.12-1ubuntu0.20
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6414-1
CVE-2023-43665
Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:3.2.18-1ubuntu0.5
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.9
https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.20
Related news
Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.
Ubuntu Security Notice 6414-2 - USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django, respectively. This update provides the corresponding update for Ubuntu 18.04 LTS. Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.