Bug#1031290: marked as done (python-django: CVE-2023-24580 (denial-of-service vulnerability in file uploads))

Tue, 14 Feb 2023 09:54:15 -0800 

Your message dated Tue, 14 Feb 2023 17:50:53 +0000
with message-id <[email protected]>
and subject line Bug#1031290: fixed in python-django 3:3.2.18-1
has caused the Debian Bug report #1031290,
regarding python-django: CVE-2023-24580 (denial-of-service vulnerability in 
file uploads)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1031290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031290
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django
Version: 1:1.11.29-1+deb10u6
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2023-24580[0]:

  Potential denial-of-service vulnerability in file uploads

  Passing certain inputs to multipart forms could result in too many
  open files or memory exhaustion, and provided a potential vector for
  a denial-of-service attack.

  The number of files parts parsed is now limited via the new
  DATA_UPLOAD_MAX_NUMBER_FILES setting.

  <https://www.djangoproject.com/weblog/2023/feb/14/security-releases/>

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24580
    https://www.cve.org/CVERecord?id=CVE-2023-24580


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---
--- Begin Message --- 
Source: python-django
Source-Version: 3:3.2.18-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Feb 2023 09:12:57 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.18-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1031290
Changes:
 python-django (3:3.2.18-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
 .
       Passing certain inputs to multipart forms could result in too many open
       files or memory exhaustion, and provided a potential vector for a
       denial-of-service attack.
 .
       The number of files parts parsed is now limited via the new
       DATA_UPLOAD_MAX_NUMBER_FILES setting.
 .
       Thanks to Jakob Ackermann for the report. (Closes: #1031290)
Checksums-Sha1:
 698d15a21d198aa340fefd2ec158dbb0d17126d5 2807 python-django_3.2.18-1.dsc
 27010f09a149773fe9d19b6ee69c597a428fadc8 9848949 
python-django_3.2.18.orig.tar.gz
 9573bf6b748250469c6fd702dcabae574734fe6b 37760 
python-django_3.2.18-1.debian.tar.xz
 d794cd315ceeb8c2046109134695721dd6940594 7905 
python-django_3.2.18-1_amd64.buildinfo
Checksums-Sha256:
 9f1680ee17b33372ac8b399dd68859f54b96ed8545cb899d0cacc5a57de491f1 2807 
python-django_3.2.18-1.dsc
 08208dfe892eb64fff073ca743b3b952311104f939e7f6dae954fe72dcc533ba 9848949 
python-django_3.2.18.orig.tar.gz
 003420cd5c9f886e9bc2bf6675588e10023612f570ba74a6bba44ecc78a365ab 37760 
python-django_3.2.18-1.debian.tar.xz
 d5973ee8402bde6ca76f953c1290f60569536503154ed5732a449d54bb5c65cd 7905 
python-django_3.2.18-1_amd64.buildinfo
Files:
 c13581162bcd79ba9ff521b6a9dc5302 2807 python optional 
python-django_3.2.18-1.dsc
 03831fdb086d0efb7ba0b4e1c521427e 9848949 python optional 
python-django_3.2.18.orig.tar.gz
 c1f320d1824e8a58d06babfc4a4eab20 37760 python optional 
python-django_3.2.18-1.debian.tar.xz
 a688889a8880f5d0510221817c178537 7905 python optional 
python-django_3.2.18-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPrwsIACgkQHpU+J9Qx
Hli0NxAAiHVkfBVXaz4hPKYq0McDwn5pX3/Fu5Ehtp/Aaa9Jh0rZeL0fStrq8EvT
ktGwx79qif1/m+OCqA5ktJPt0cSE6+hOLnX1hrl8Zs0lxDH5FsBdXgigund5jS0/
Te3VaqRMFTTaWU7pduGE4yCadiEeEohYM2G85p3uxmiihx8pJiD8v30kE5VmMClB
LA14FVNFLRrWCGP6wr3epCgWSx03mTej+gcyggFOAuUY6e9nlHwNt7DmUnQzqBvt
U7l+Dz8gA4cWLh4A+SO8XhxZD6uc+eknUhT8Wxjaadj/bUi4IVz9WaPbP4RI5BSW
IFhpSgO7XjxjCeiqk8DFLnVsoAfJbOxWkSCEgLpuDzlIbCzc0OiNHSJtD+21XYpA
Fykj/g93kAIjZTb4v+y/NbzFVT87kAgypcmTIgEn1QJFjQdYZAQQFAEPjkY4nl81
YP7jDVzZH6wwCzwsLXbVvijU4VwkiJKdeummBxw6aV/YAgUZoEBkGQyMBVq+WIEe
1RRyteWq1NKmtAhqkhfUEggPIXCkx1Txt3grrwrwYF7eiG+wFKVy1zQm3fPYB5lJ
g3ybzfKyWfe2+ESqjFKyI5mrI38tiCyfFpEEjn9HaGLBCOjsbZVstOzW4+GSN4yw
U9BIvNl7vbOI7GIl78OQe7IjzFUH/EoPuy/f1Z7RvHVMAeICbvc=
=6R/Q
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to