Colin Watson uploaded new packages for python-django which fixed the
following security problems:
CVE-2024-45230
Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a
specific sequence of characters.
CVE-2024-45231
Potential user email enumeration via response status on password
reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset
requests and observing the outcomes. To mitigate this risk,
exceptions occurring during password reset email sending are now
handled and logged using the django.contrib.auth logger.
CVE-2024-53907
Potential DoS in django.utils.html.strip_tags. The strip_tags()
method and striptags template filter were subject to a potential
denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
CVE-2024-53908
Potential SQL injection in HasKey(lhs, rhs) on Oracle. Direct
usage of the django.db.models.fields.json.HasKey lookup on
Oracle was subject to SQL injection if untrusted data is used as
a lhs value. Applications that use the jsonfield.has_key lookup
through the __ syntax are unaffected.
CVE-2024-56374
Potential denial-of-service vulnerability in IPv6 validation. A
lack of upper bound limit enforcement in strings passed when
performing IPv6 validation could have led to a potential
denial-of-service (DoS) attack. The undocumented and private
functions clean_ipv6_address and is_valid_ipv6_address were
vulnerable, as was the GenericIPAddressField form field, which
has now been updated to define a max_length of 39 characters.
The GenericIPAddressField model field was not affected.
For the bookworm-backports distribution the problems have been fixed
in version 3:4.2.18-1~bpo12+1.