Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS Advisory ([SECURITY] [DLA 1872-1] python-django security update)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'python-django' package(s) announced via the DSA-1872-1 advisory.
Insight
Insight
It was discovered that there were two vulnerabilities in the Django web development framework: * CVE-2019-14232: Prevent a possible denial-of-service in django.utils.text.Truncator. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. * CVE-2019-14233: Prevent a possible denial-of-service in strip_tags(). Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().
Affected Software
Affected Software
'python-django' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 8 'Jessie', these has been fixed in python-django version 1.7.11-1+deb8u7. We recommend that you upgrade your python-django packages.