Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6414-1

Ubuntu Security Notice 6414-1 - Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

Packet Storm
#vulnerability#web#ubuntu#dos

==========================================================================
Ubuntu Security Notice USN-6414-1
October 04, 2023

python-django vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.04
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Summary:

Django could be made to consume resources or crash if it received specially
crafted network traffic.

Software Description:

  • python-django: High-level Python web development framework

Details:

Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
python3-django 3:3.2.18-1ubuntu0.5

Ubuntu 22.04 LTS:
python3-django 2:3.2.12-2ubuntu1.9

Ubuntu 20.04 LTS:
python3-django 2:2.2.12-1ubuntu0.20

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6414-1
CVE-2023-43665

Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:3.2.18-1ubuntu0.5
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.9
https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.20

Related news

Red Hat Security Advisory 2024-2010-03

Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.

Red Hat Security Advisory 2024-1878-03

Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.

GHSA-h8gc-pgj2-vjm3: Django Denial-of-service in django.utils.text.Truncator

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

CVE-2023-43665: Django security releases issued: 4.2.6, 4.1.12, and 3.2.22

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Red Hat Security Advisory 2023-6158-01

Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

Ubuntu Security Notice USN-6414-2

Ubuntu Security Notice 6414-2 - USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django, respectively. This update provides the corresponding update for Ubuntu 18.04 LTS. Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

Packet Storm: Latest News

Zeek 6.0.9