Detections
Analytics

Debian DLA-1872-1 : python-django security update

high Nessus Plugin ID 127481

Language:

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that there were two vulnerabilities in the Django web development framework :

 - CVE-2019-14232: Prevent a possible denial of service in django.utils.text.Truncator.

 If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

 The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

 - CVE-2019-14233: Prevent a possible denial of service in strip_tags().

 Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

 strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

 Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

For Debian 8 'Jessie', these has been fixed in python-django version 1.7.11-1+deb8u7.

We recommend that you upgrade your python-django packages. You can find more information in upstream's announcement :

https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Thanks to Carlton Gibson et al. for their handling of these issues.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2019/08/msg00005.html

https://packages.debian.org/source/jessie/python-django

https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Plugin Details

Severity: High

ID: 127481

File Name: debian_DLA-1872.nasl

Version: 1.3

Type: local

Agent: unix

Published: 8/12/2019

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python-django, p-cpe:/a:debian:debian_linux:python-django-common, p-cpe:/a:debian:debian_linux:python-django-doc, p-cpe:/a:debian:debian_linux:python3-django, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/6/2019

Vulnerability Publication Date: 8/6/2019