Ubuntu alert USN-6888-2 (python-django)
| From: | "Leonidas S. Barbosa" <leo.barbosa@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-6888-2] Django vulnerabilities | |
| Date: | Thu, 11 Jul 2024 13:17:00 -0300 | |
| Message-ID: | <20240711161700.GA3883170@d4rkl41n> |
========================================================================== Ubuntu Security Notice USN-6888-2 July 11, 2024 python-django vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-38875) It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users. (CVE-2024-39329) Josh Schneier discovered that Django incorrectly handled file path validation when the storage class is being derived. A remote attacker could possibly use this issue to save files into arbitrary directories. (CVE-2024-39330) It was discovered that Django incorrectly handled certain long strings that included a specific set of characters. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. (CVE-2024-39614) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS python-django 1:1.11.11-1ubuntu1.21+esm5 Available with Ubuntu Pro python3-django 1:1.11.11-1ubuntu1.21+esm5 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6888-2 https://ubuntu.com/security/notices/USN-6888-1 CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEf+ebRFcoyOoAQoOeRbznW4QLH2kFAmaQBXkACgkQRbznW4QL H2m4pA//e0+q8I6syOiQGyhl2heOakw4U5x/AmHD4sFkM/X0z1jZGEzV4RC7bW50 YpKxcwNF6V2Q1RWRz4vj8DE1R7o4Xh+eKpqSKg3bXNQs+sGepWsog7QWsTtuOpdO +vqDJPoWldpYFbHESnN5rBv3DZ1ftDVPwmFFuNxd0tSRPzHQgy/AsInY44OCxPEx 96bqzZA+XKVb9xfr0d1rg4kp2G4gw/Qo1WtXY43dfCKZqZvBynfk7TUN92ZBaUBI AKBE5S8+pHbiIA5AfQWr7Aqy7HEBBLkKuvB5wvQTyWYOrbPosn9zUly1ciOZ9Opf ndg+hWhkHT4cSO/Nn/hN9n3vFRFe4aHN2uz8WLhHYvmJXBShBhMLyUyI+hbzHq4u P75MqEsl5q+0f/Rq0/fyXz/1+x3cCp8V9NklpnjkwMKxCmzZbn9XRYxNf+sU5g2x 16Fz33KVca4P1Exf6nCVVZfxsqK2MOvvHJwXvg92Ks0McfWqrI9iofyUEJ5Bv8xC dXJVOdxZ6reDyz4H61Nm+k9NCtiSwcWh7eZe7A2PzWUlhBsBP6bAMFLdEvziHsIk F/Vyfpu5RkquQVL/aa5OH0XJpmmC1yhXeIxFgIYV1lD8LQL4CXW6F64LchIvfzLC rU3vHGbddAhhUvBs2XvH7DSnod42YryXaL/6+bTCeVuFN7YSnpw= =dFkt -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)