Your message dated Wed, 15 Jan 2025 18:27:38 +0000
with message-id <[email protected]>
and subject line Bug#1093049: fixed in python-django 3:4.2.18-1
has caused the Debian Bug report #1093049,
regarding python-django: CVE-2024-56374
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1093049: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093049
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-django
Version: 3:4.2.17-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-django.
CVE-2024-56374[0]:
| An issue was discovered in Django 5.1 before 5.1.5, 5.0 before
| 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement
| in strings passed when performing IPv6 validation could lead to a
| potential denial-of-service attack. The undocumented and private
| functions clean_ipv6_address and is_valid_ipv6_address are
| vulnerable, as is the django.forms.GenericIPAddressField form field.
| (The django.db.models.GenericIPAddressField model field is not
| affected.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-56374
https://www.cve.org/CVERecord?id=CVE-2024-56374
[1] https://www.djangoproject.com/weblog/2025/jan/14/security-releases/
[2]
https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.18-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Jan 2025 17:38:10 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.18-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1093049
Changes:
python-django (3:4.2.18-1) unstable; urgency=high
.
* New upstream security release. (Closes: #1093049)
.
- CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation.
.
A lack of upper bound limit enforcement in strings passed when performing
IPv6 validation could have led to a potential denial-of-service (DoS)
attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
.
<https://www.djangoproject.com/weblog/2025/jan/14/security-releases/>
Checksums-Sha1:
e59fdea6003372e7b83aaa1bfc20efbe6f21eb03 2764 python-django_4.2.18-1.dsc
d5b343b598dcbf315d3eca933c965bee189b00fa 10428204
python-django_4.2.18.orig.tar.gz
10eadac2713bc1f800a6a7cac44ec57cea0f474f 33280
python-django_4.2.18-1.debian.tar.xz
c4966ce1917a9d2aa40b7124baafb2153f6b6ab7 8333
python-django_4.2.18-1_amd64.buildinfo
Checksums-Sha256:
c8d3738aefefd104aa71dba8e46a3de89c5197b263c639a5c8015288e6a06a86 2764
python-django_4.2.18-1.dsc
52ae8eacf635617c0f13b44f749e5ea13dc34262819b2cc8c8636abb08d82c4b 10428204
python-django_4.2.18.orig.tar.gz
d4559915b40d0ef539f63c17da443175cb59b4c493703041758984e38ad6bd5c 33280
python-django_4.2.18-1.debian.tar.xz
d3d692be16d9f2823fd4de91d66d287a78adc057336c6c9307a57ceca56d5cc9 8333
python-django_4.2.18-1_amd64.buildinfo
Files:
043f51c1d7dfd1be817efbd3a91c94f8 2764 python optional
python-django_4.2.18-1.dsc
df7bf6c395e06c8e625860c5ad2e9fea 10428204 python optional
python-django_4.2.18.orig.tar.gz
151f3b12673b85dab5f7d6d41fb98a4a 33280 python optional
python-django_4.2.18-1.debian.tar.xz
a85267782a54ca397ede2a3d831267b4 8333 python optional
python-django_4.2.18-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmeH9IkACgkQHpU+J9Qx
HljB8BAArDsAVQ6GCFd3Uo12X5mt3a9yLMvPIJEgc95R8XfW+Sa2P0+1Jqag1O5t
B5NJtLgVfJzWFXHeCtu+Z0TNdOyzChyNXmnGY1tCaoKBmpJM+BYjU/LwrxdsZiL9
IicaMdvvCH45mazrjb3jNjZJiW8tmCyOQlDm5szsr4jdXFfwhjgOPCltUUG64Nyd
TlmWwvtp601HRf4cPOIH0BolIKEyRG6Ll6xDy8d58cnT3hZy+Muh9DK9axWPq5zc
eczvlsYIqC1k4xLfKh9vWZsPYCl+wnvD+CzpKc6weccvMIUcw6FnKj5P8c9JygUj
++zbKhfT1ehuifQffobJY+WrRrwz/fKZSUkWcYhEP0R5hOKL/pYbDzrBoQ3/y+A2
cdfkIppfRe0gAf32cAFr5oKg7nrM6pbFBf/NbLYboHHBYmMu41HPCnbg5Ly/U2DF
j+Z3JmUUo6wQCfPdT4mEDg8XpQEeznTK8/zH7KjmKcvBDL4Nx8AGeOIFFskD0QOl
pOnBEqbBPGQ8YD05JTJdvpjFBpWxigJPGd3lADtaaxI4D1zOYC6kd3Bs26sCEfxd
gBmqf0X3siS9jwd3/k47Xq6AQtfolMi6MCzXuSFWVqRD9IXD75GLtLspdRTRAWP8
yHF4RJXEBk2c+OtFgWWIFiPZmFlNKKA7qygDgwINrJ0Vtd5y1xI=
=QH43
-----END PGP SIGNATURE-----
pgpvnzCdDGJo_.pgp
Description: PGP signature
--- End Message ---
