Vulnerability CVE-2023-23969: Information
Description
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| python3-module-django | sisyphus | 3.2.18-alt1 | 4.2.13-alt1 | ALT-PU-2023-1510-1 | 317426 | Fixed |
| python3-module-django | sisyphus_e2k | 3.2.18-alt1 | 4.2.13-alt1 | ALT-PU-2023-2964-1 | - | Fixed |
| python3-module-django | sisyphus_riscv64 | 3.2.18-alt1 | 4.2.13-alt1 | ALT-PU-2023-2978-1 | - | Fixed |
| python3-module-django | p10 | 3.2.18-alt1 | 3.2.25-alt1 | ALT-PU-2023-1553-1 | 317508 | Fixed |
| python3-module-django | p10_e2k | 3.2.18-alt1 | 3.2.25-alt1 | ALT-PU-2023-3047-1 | - | Fixed |
| python3-module-django | c10f1 | 3.2.18-alt1 | 3.2.25-alt1 | ALT-PU-2023-1553-1 | 317508 | Fixed |
| python3-module-django | p11 | 3.2.18-alt1 | 4.2.13-alt1 | ALT-PU-2023-1510-1 | 317426 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://docs.djangoproject.com/en/4.1/releases/security/ |
|
| https://www.djangoproject.com/weblog/2023/feb/01/security-releases/ |
|
| [debian-lts-announce] 20230201 [SECURITY] [DLA 3306-1] python-django security update |
|
| https://security.netapp.com/advisory/ntap-20230302-0007/ | |
| https://groups.google.com/forum/#%21forum/django-announce | |
| FEDORA-2023-8fed428c5e | |
| FEDORA-2023-a53ab7c969 |