1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1104872: python-django: CVE-2025-32873 -- Denial-of-service possibi

    From Chris Lamb@21:1/5 to All on Wed May 7 18:40:01 2025
    Package: python-django
    Version: 2:2.2.28-1~deb11u6
    X-Debbugs-CC: team@security.debian.org
    Severity: grave
    Tags: security

    Hi,

    The following vulnerability was published for python-django.

    CVE-2025-32873[0]:

    Denial-of-service possibility in strip_tags()

    django.utils.html.strip_tags() would be slow to evaluate certain
    inputs containing large sequences of incomplete HTML tags. This
    function is used to implement the striptags template filter, which
    was thus also vulnerable. django.utils.html.strip_tags() now
    raises a SuspiciousOperation exception if it encounters an
    unusually large number of unclosed opening tags.

    <https://www.djangoproject.com/weblog/2025/may/07/security-releases/>

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-32873
    https://www.cve.org/CVERecord?id=CVE-2025-32873


    Regards,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org / chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Chris Lamb on Thu May 8 10:10:01 2025
    On Wed, May 07, 2025 at 09:26:22AM -0700, Chris Lamb wrote:
    The following vulnerability was published for python-django.

    CVE-2025-32873[0]:

    I noticed you apparently tried to upload 3:4.2.21-1 for this yesterday
    (judging from git), but I don't see it on https://tracker.debian.org/pkg/python-django nor in the ftp-master logs.
    Could you check whether the upload got lost somewhere?

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Lamb@21:1/5 to All on Thu May 8 20:20:01 2025
    Hi Colin,

    I noticed you apparently tried to upload 3:4.2.21-1 for this yesterday (judging from git), but I don't see it on https://tracker.debian.org/pkg/python-django nor in the ftp-master logs. Could you check whether the upload got lost somewhere?

    Actually there has no attempt at an upload — yet. (And so therefore
    nothing has got lost.)

    I haven't uploaded the package yet for two reasons:

    (1) The Salsa CI tests are currently failing. (Just saw the failure
    email this morning, haven't opened it yet.)

    (2) There was a direct request from the team behind Debusine [0] that
    I try their service for a real update to a real package. I said I
    was happy to, especially as this CVE is not critical. (Django is a
    great package for this too, because it has so many reverse-deps.)

    [0] https://debusine.debian.net/


    Some questions for you, however:

    Are you inferring an attempt was made from the Git tag or the
    existence of the changelog? Or some other indicator? If so, that is
    misleading, and I'd be interested to know how I can prevent that in
    the future. :)

    May I assume you are asking as you'd like to update backports? If so,
    I'd be happy to let you know explicitly when I've uploaded something
    into unstable.


    Best wishes,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Chris Lamb on Fri May 9 12:30:01 2025
    On Thu, May 08, 2025 at 11:02:01AM -0700, Chris Lamb wrote:
    Hi Colin,

    I noticed you apparently tried to upload 3:4.2.21-1 for this yesterday
    (judging from git), but I don't see it on
    https://tracker.debian.org/pkg/python-django nor in the ftp-master logs.
    Could you check whether the upload got lost somewhere?

    Actually there has no attempt at an upload — yet. (And so therefore
    nothing has got lost.)

    Ah, OK.

    I haven't uploaded the package yet for two reasons:

    (1) The Salsa CI tests are currently failing. (Just saw the failure
    email this morning, haven't opened it yet.)

    Yeah, since upstream seems to have removed setup.py, you need pybuild-plugin-pyproject now. I've done loads of those conversions so
    let me know if you need help with it.

    (2) There was a direct request from the team behind Debusine [0] that
    I try their service for a real update to a real package. I said I
    was happy to, especially as this CVE is not critical. (Django is a
    great package for this too, because it has so many reverse-deps.)

    [0] https://debusine.debian.net/

    Ah yes, that team includes me :-)

    Some questions for you, however:

    Are you inferring an attempt was made from the Git tag or the
    existence of the changelog? Or some other indicator? If so, that is >misleading, and I'd be interested to know how I can prevent that in
    the future. :)

    I inferred it from the existence of the Git tag - in my own workflow I
    only ever push that at around the same time as an upload, to avoid
    confusion if any last-minute pre-upload corrections are needed.

    May I assume you are asking as you'd like to update backports? If so,
    I'd be happy to let you know explicitly when I've uploaded something
    into unstable.

    Actually I just noticed it in the Python team's list of open RC bugs and wondered what was happening. But it's true that we also use the
    backport of python-django for debusine.debian.net, so I try to keep it
    up to date if you haven't already done so (I have no particular
    attachment to being the one doing the backport though!).

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Lamb@21:1/5 to Colin Watson on Fri May 9 23:00:01 2025
    Colin Watson wrote:

    since upstream seems to have removed setup.py, you need pybuild-plugin-pyproject now. I've done loads of those conversions
    so let me know if you need help with it.

    Thanks, I'll have a poke in a bit and see how I get on. I should
    probably learn how this new Python build system works anyway. 14th
    time's the charm, I'm sure.

    (2) There was a direct request from the team behind Debusine [0] that
    I try their service for a real update to a real package. I said I
    was happy to, especially as this CVE is not critical. (Django is a
    great package for this too, because it has so many reverse-deps.)

    Ah yes, that team includes me :-)

    Ahhhh, now I feel silly for explaining it back to you. Still, Debusine
    might be running on a Django built by Debusine soon. :)

    in my own workflow I only ever push that at around the same time as
    an upload, to avoid confusion if any last-minute pre-upload
    corrections are needed.

    That seems like a good strategy, especially in a team environment.
    I've gone ahead and deleted the debian/3%4.2.21-1 tag from Salsa so
    that at least that bit matches reality.


    Best wishes,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org 🍥 chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)