Bug 32944

Summary: python-django new security issue CVE-2024-27351
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-django-4.1.13-1.mga9.src.rpm CVE: CVE-2024-27351
Status comment:

Description Nicolas Salguero 2024-03-07 16:10:35 CET 
Upstream has issued an advisory on March 4:
https://www.djangoproject.com/weblog/2024/mar/04/security-releases/

The issue is fixed upstream in 4.2.11.

Ubuntu has issued an advisory for this on March 4:
https://ubuntu.com/security/notices/USN-6674-1
Comment 1 Lewis Smith 2024-03-07 20:52:58 CET 
Package: python3-django
SRPM: python-django-4.1.13-1.mga9.src.rpm

Stig has just updated Cauldron to version 4.2.11, so assigning this to you for Mageia 9 also. It will of course need an Advisory...

Assignee: bugsquad => smelror
Status comment: (none) => fixed upstream in 4.2.11
Source RPM: (none) => python-django-4.1.13-1.mga9.src.rpm

Comment 2 Nicolas Salguero 2024-03-19 15:28:40 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. (CVE-2024-27351)

References:
https://www.djangoproject.com/weblog/2024/mar/04/security-releases/
https://ubuntu.com/security/notices/USN-6674-1
========================

Updated package in core/updates_testing:
========================
python3-django-4.1.13-1.1.mga9

from SRPM:
python-django-4.1.13-1.1.mga9.src.rpm

Assignee: smelror => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2024-27351
Status comment: fixed upstream in 4.2.11 => (none)

Comment 3 Len Lawrence 2024-03-19 17:28:02 CET 
Mageia9, x64
Before the update django-admin worked fine.
$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py

Removed mysite and updated, then:
$ django-admin startproject mysite
$ tree mysite
mysite
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── settings.py
    ├── urls.py
    └── wsgi.py
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
[...]
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK

$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...
System check identified no issues (0 silenced).
March 19, 2024 - 16:20:36
Django version 4.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Visited port 8000 in a browser to see the introductory with its rocketship emblem and confirmation of a successfull installation.  There were links to release-notes, documentation, startup tutorial and the community.

Giving this a pass.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => tarazed25

Len Lawrence 2024-03-19 18:03:00 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-03-19 23:17:21 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-03-20 04:36:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0075.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED