Debian 11: DLA-4210-1 high: python-django update mitigates several risks
debian lts
June 9, 2025
A number of vulnerabilities were discovered in Django, a popular Python-based web-development framework: * CVE-2025-48432: Potential log injection via unescaped request path
Summary
* CVE-2025-48432: Potential log injection via unescaped request path.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
(Closes: #1107282)
* CVE-2025-32873: Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
(Closes: #1104872)
* CVE-2023-41164: Potential denial of service vulnerability in
PREVIOUS
NEXT
Package: python-django
Version: 2:2.2.28-1~deb11u7
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!