Ubuntu alert USN-6888-1 (python-django)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com> | |
| Subject: | [USN-6888-1] Django vulnerabilities | |
| Date: | Tue, 09 Jul 2024 15:27:06 -0400 | |
| Message-ID: | <85cabd1a-0617-4cf0-ae79-5ea7de3e1770@canonical.com> |
========================================================================== Ubuntu Security Notice USN-6888-1 July 09, 2024 python-django vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-38875) It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users. (CVE-2024-39329) Josh Schneier discovered that Django incorrectly handled file path validation when the storage class is being derived. A remote attacker could possibly use this issue to save files into arbitrary directories. (CVE-2024-39330) It was discovered that Django incorrectly handled certain long strings that included a specific set of characters. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-39614) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-django 3:4.2.11-1ubuntu1.1 Ubuntu 23.10 python3-django 3:4.2.4-1ubuntu2.3 Ubuntu 22.04 LTS python3-django 2:3.2.12-2ubuntu1.12 Ubuntu 20.04 LTS python3-django 2:2.2.12-1ubuntu0.23 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6888-1 CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614 Package Information: https://launchpad.net/ubuntu/+source/python-django/3:4.2.... https://launchpad.net/ubuntu/+source/python-django/3:4.2.... https://launchpad.net/ubuntu/+source/python-django/2:3.2.... https://launchpad.net/ubuntu/+source/python-django/2:2.2....
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmaNjwoACgkQZWnYVadE vpNXchAAughlekgaGDqBw5+pLpC/0bCzyoaeja2uD9RkV382y7YJJcPXh4zBm3bX xYJJlTAeZIUBFqmDe+KZXe+vtzIHYxWRw0vcx97ea9nfL2D3ENNsWFBbPF4wzmDP Dn4XVPDdfDo/F3v+qmsIWQG5DOQxZPI7TqKnzodF58a3SFzQyUxvwNAQ3+t1sEqw gVHdr9uSWE9fCIBDnHS2Cd2udRjoM7hc6oDOXgL7uneSDEgJpaYQPATG3onfYBAi oVPBjlZdz/RbknXYEtVsOVJMifhXTn16ILacQ/u/by072SArOYPM/AmKB+FO9TY1 oa8gOJjUWGnRwnEq3qzw/r3e3fxVI58lsfPTEvZ53I1qNdKAh2RugKLMuUQRq2G0 ABoaG/d9grvaFUrSG1JZBqeziPttPYr7PpncvcpnhAmcCCcIj/tqi8nB1zeNvpPK 4MEJQkAJSx5Pp1kBNB15hAKSur0BK24si2rYRFg4v0+8ZQXxuSaqB2O1t2O7vC2d WeAWRtXxhp8Vi5lspKYIpuaQD4MiXa4t4/s72vVhi0XgViIyODn0pMCsFJQArdFy 4lUURQ45thTLL4CCa0CLUuDAqb18N7fi8EyuLzPA002D0rS1cWzqUdiDUZuHjPMO daMYwJXpLerxuJOcYGiYB1CxXNQ1EYXk3evt0pjtMOyF6qjq/MA= =noac -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)