Debian LTS: DLA-1872-1 Moderate: python-django Denial-Of-Service Risk
debian lts
August 6, 2019
It was discovered that there were two vulnerabilities in the Django web development framework: * CVE-2019-14232: Prevent a possible denial-of-service in
Topics Covered
Summary
If django.utils.text.Truncator's chars() and words() methods were
passed the html=True argument, they were extremely slow to
evaluate certain inputs due to a catastrophic backtracking
vulnerability in a regular expression. The chars() and words()
methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus vulnerable.
The regular expressions used by Truncator have been simplified in
order to avoid potential backtracking issues. As a consequence,
trailing punctuation may now at times be included in the
truncated output.
* CVE-2019-14233: Prevent a possible denial-of-service in strip_tags().
Due to the behavior of the underlying HTMLParser,
django.utils.html.strip_tags() would be extremely slow to
evaluate certain inputs containing large sequences of nested
incomplete HTML entities. The strip_tags() method is used to
implement the corresponding striptags template filter, which was
PREVIOUS
NEXT
Package: python-django
Version: 1.7.11-1+deb8u7
Debian Bug: #934026
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!