Your message dated Mon, 08 Jul 2019 19:54:53 +0000 with message-id <[email protected]> and subject line Bug#922027: fixed in python-django 1:1.10.7-2+deb9u5 has caused the Debian Bug report #922027, regarding CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 922027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922027 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python-django Version: Django 2.2, 1.11 Severity: normal CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. Thanks Sjoerd Job Postmus for reporting this issue. Affected supported versions Django master branch Django 2.2 (which will be released in a separate blog post later today) Django 2.1 Django 2.0 Django 1.11 Per our supported versions policy, Django 1.10 and older are no longer supported. https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ Regards, Herbert
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.10.7-2+deb9u5 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <[email protected]> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 02 Jul 2019 23:07:21 -0300 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Architecture: source all Version: 1:1.10.7-2+deb9u5 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <[email protected]> Changed-By: Chris Lamb <[email protected]> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 922027 929927 931316 Changes: python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high . * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format. (Closes: #922027) * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the AdminURLFieldWidget. (Closes: #929927) * CVE-2019-12781: Prevent incorrect HTTPS detection with reverse-proxies connecting via HTTPS. (Closes: #931316) Checksums-Sha1: 9cf46ff6b53e327287a635d7947504bab66f5e5b 2804 python-django_1.10.7-2+deb9u5.dsc 4b9acc86beb3e79ac0fcfc3339fb7cad9cb7b286 39828 python-django_1.10.7-2+deb9u5.debian.tar.xz 1383e694395bc1db1985a303a387592011dcb2d8 1513850 python-django-common_1.10.7-2+deb9u5_all.deb fbe06f7c2ed9995875601de4fbf915219332b420 2535508 python-django-doc_1.10.7-2+deb9u5_all.deb 0783192722e7846642837d8000e4ee0ea5e99034 904054 python-django_1.10.7-2+deb9u5_all.deb e3f0210d8f6f2158f63b8a3ef46b7ab19792334e 9329 python-django_1.10.7-2+deb9u5_amd64.buildinfo 40303e6ec9bc24c3a99cee145f1297d8d2373097 885816 python3-django_1.10.7-2+deb9u5_all.deb Checksums-Sha256: 5634a1d5ce9a9426076abb87945d7af24b9eab0115f6db039646f6f20437b2b8 2804 python-django_1.10.7-2+deb9u5.dsc f794310b8048bf962425ea1c23ad447cda236d04bba02f518cabab027b988cff 39828 python-django_1.10.7-2+deb9u5.debian.tar.xz 5bc2c68ac9797eba7b2fa3beeae7ee5fa08954ce9fa2b078d2fc6c93fd44207b 1513850 python-django-common_1.10.7-2+deb9u5_all.deb e2cc407ab765e5e0068509471880f0b53c2776d1bb76a847ad33bf56d831dc30 2535508 python-django-doc_1.10.7-2+deb9u5_all.deb c62e37da6e5fe58bfff7fbdb7547a59fd8456ac0825777d86ecc84eafc2b8004 904054 python-django_1.10.7-2+deb9u5_all.deb 25f8ec5325f48dba984300b3393e4ea73b75da5789722dae4981e7b6dcf1968c 9329 python-django_1.10.7-2+deb9u5_amd64.buildinfo e445e5695962a7a120206e4dc16022d670b253e0f275968d4b54776961b27c66 885816 python3-django_1.10.7-2+deb9u5_all.deb Files: 52ccdf5159351ca16a1f676901ae31ae 2804 python optional python-django_1.10.7-2+deb9u5.dsc eb488426deda61b3ba6811ffe1009c3d 39828 python optional python-django_1.10.7-2+deb9u5.debian.tar.xz fa0695738a8ba2b94d9ef7331f29bd24 1513850 python optional python-django-common_1.10.7-2+deb9u5_all.deb 0428ccc6fd9f8dae732b5f085e3a3904 2535508 doc optional python-django-doc_1.10.7-2+deb9u5_all.deb 8b9bdd5aee8b7be9d4c3e15c87e44013 904054 python optional python-django_1.10.7-2+deb9u5_all.deb dd5236564e0e51a91c4fe3d781e6c7d8 9329 python optional python-django_1.10.7-2+deb9u5_amd64.buildinfo 21396fe97a0ec5511abc5c642b494354 885816 python optional python3-django_1.10.7-2+deb9u5_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0cm48ACgkQHpU+J9Qx Hlh7exAAjFGkoYJ+LSIxq+0TmgIdSlbJixN3QemPsd7w/jWcIPpy8u0MjmjqMWqh qe1vvYdBDvW8NUHGa7QW5sUKzaYh9Lcj1f4G9VrcBp45vOXT/ao6RiSeyCsvXBRd WOED9SdOSqOoCS0TGaOVRewkqXxx82MAPXcYeC77mhJvWQ4McvfByHRVw8mvy9uP Ecw2YZ6rPxBrz2l0OVTRhw+HpYWgNSBFiEEBFSt6hSMcfinJlKW48lrAfhVtaje2 uPpucg4feUNQ8RMMueox0tEaJdNMgZ2GCY+I9MhBGyPkvKM/IZtoiCJr3hB560ck OPAoP6vQR3iNafXE7jQRposSHwCUIi0SpmpKVCiW9ZcCjsv7J0dp14Z5uSpUR+mY YVZ7uhCa3NALYsZM/+lj67sTw2H9MV6qZFtNigKvK29f6IuiHeVzMUal3SxWy35m xUvczA4/SXsWn+ov2OVT0IqZATRNZ4lAOv4vTlBCR9mNVXy1RA8iP0ITn0PkzbRZ yA/amxZ6a51a+WR0TUTAecgRjRvwe6GKQSXTQ8abD3Z1g3+/v6mXxNyXmNFRm0vf VvP1892TXDwE69GmW2axmbTnSJ6kl4xHDkHpWhEtoqidraO75Ef0mMvtYyXcGv8g xq94b2P1enGHcfkTnGc4gbfZKSEhgmSvAltxi9xb+W4TNDaLVnY= =Awug -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
