Date: Sat, 3 Aug 2019 20:57:32 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r508025 - head/security/vuxml Message-ID: <201908032057.x73KvWl4087036@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Sat Aug 3 20:57:31 2019 New Revision: 508025 URL: https://svnweb.freebsd.org/changeset/ports/508025 Log: Document Django vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Aug 3 20:57:24 2019 (r508024) +++ head/security/vuxml/vuln.xml Sat Aug 3 20:57:31 2019 (r508025) @@ -58,6 +58,89 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="6e65dfea-b614-11e9-a3a2-1506e15611cc"> + <topic>Django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py27-django111</name> + <name>py35-django111</name> + <name>py36-django111</name> + <name>py37-django111</name> + <range><lt>1.11.23</lt></range> + </package> + <package> + <name>py27-django21</name> + <name>py35-django21</name> + <name>py36-django21</name> + <name>py37-django21</name> + <range><lt>2.1.11</lt></range> + </package> + <package> + <name>py27-django22</name> + <name>py35-django22</name> + <name>py36-django22</name> + <name>py37-django22</name> + <range><lt>2.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Django release notes:</p> + <blockquote cite="https://docs.djangoproject.com/en/1.11/releases/1.11.23/">; + <p>CVE-2019-14232: Denial-of-service possibility in + django.utils.text.Truncator</p> + <p>If django.utils.text.Truncator's chars() and words() methods were + passed the html=True argument, they were extremely slow to evaluate + certain inputs due to a catastrophic backtracking vulnerability in a + regular expression. The chars() and words() methods are used to + implement the truncatechars_html and truncatewords_html template + filters, which were thus vulnerable</p> + <p>The regular expressions used by Truncator have been simplified in + order to avoid potential backtracking issues. As a consequence, trailing + punctuation may now at times be included in the truncated output.</p> + <p>CVE-2019-14233: Denial-of-service possibility in strip_tags()</p> + <p>Due to the behavior of the underlying HTMLParser, + django.utils.html.strip_tags() would be extremely slow to evaluate + certain inputs containing large sequences of nested incomplete HTML + entities. The strip_tags() method is used to implement the corresponding + striptags template filter, which was thus also vulnerable.</p> + <p>strip_tags() now avoids recursive calls to HTMLParser when progress + removing tags, but necessarily incomplete HTML entities, stops being + made.</p> + <p>Remember that absolutely NO guarantee is provided about the results of + strip_tags() being HTML safe. So NEVER mark safe the result of a + strip_tags() call without escaping it first, for example with + django.utils.html.escape().</p> + <p>CVE-2019-14234: SQL injection possibility in key and index lookups for + JSONField/HStoreField</p> + <p>Key and index lookups for JSONField and key lookups for HStoreField + were subject to SQL injection, using a suitably crafted dictionary, + with dictionary expansion, as the **kwargs passed to QuerySet.filter().</p> + <p>CVE-2019-14235: Potential memory exhaustion in + django.utils.encoding.uri_to_iri()</p> + <p>If passed certain inputs, django.utils.encoding.uri_to_iri() could lead + to significant memory usage due to excessive recursion when + re-percent-encoding invalid UTF-8 octet sequences.</p> + <p>uri_to_iri() now avoids recursion when re-percent-encoding invalid + UTF-8 octet sequences.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.djangoproject.com/en/1.11/releases/1.11.23/</url>; + <url>https://docs.djangoproject.com/en/2.1/releases/2.1.11/</url>; + <url>https://docs.djangoproject.com/en/2.2/releases/2.2.4/</url>; + <cvename>CVE-2019-14232</cvename> + <cvename>CVE-2019-14233</cvename> + <cvename>CVE-2019-14234</cvename> + <cvename>CVE-2019-14235</cvename> + </references> + <dates> + <discovery>2019-08-01</discovery> + <entry>2019-08-03</entry> + </dates> + </vuln> + <vuln vid="e7b69694-b3b5-11e9-9bb6-0800274e5f20"> <topic>gitea -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908032057.x73KvWl4087036>