svn commit: r508025 - head/security/vuxml

Sunpoet Po-Chuan Hsieh sunpoet at FreeBSD.org
Sat Aug 3 20:57:33 UTC 2019 

Author: sunpoet
Date: Sat Aug  3 20:57:31 2019
New Revision: 508025
URL: https://svnweb.freebsd.org/changeset/ports/508025

Log:
  Document Django vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Aug  3 20:57:24 2019	(r508024)
+++ head/security/vuxml/vuln.xml	Sat Aug  3 20:57:31 2019	(r508025)
@@ -58,6 +58,89 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="6e65dfea-b614-11e9-a3a2-1506e15611cc">
+    <topic>Django -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>py27-django111</name>
+	<name>py35-django111</name>
+	<name>py36-django111</name>
+	<name>py37-django111</name>
+	<range><lt>1.11.23</lt></range>
+      </package>
+      <package>
+	<name>py27-django21</name>
+	<name>py35-django21</name>
+	<name>py36-django21</name>
+	<name>py37-django21</name>
+	<range><lt>2.1.11</lt></range>
+      </package>
+      <package>
+	<name>py27-django22</name>
+	<name>py35-django22</name>
+	<name>py36-django22</name>
+	<name>py37-django22</name>
+	<range><lt>2.2.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Django release notes:</p>
+	<blockquote cite="https://docs.djangoproject.com/en/1.11/releases/1.11.23/">
+	  <p>CVE-2019-14232: Denial-of-service possibility in
+	    django.utils.text.Truncator</p>
+	  <p>If django.utils.text.Truncator's chars() and words() methods were
+	    passed the html=True argument, they were extremely slow to evaluate
+	    certain inputs due to a catastrophic backtracking vulnerability in a
+	    regular expression. The chars() and words() methods are used to
+	    implement the truncatechars_html and truncatewords_html template
+	    filters, which were thus vulnerable</p>
+	  <p>The regular expressions used by Truncator have been simplified in
+	    order to avoid potential backtracking issues. As a consequence, trailing
+	    punctuation may now at times be included in the truncated output.</p>
+	  <p>CVE-2019-14233: Denial-of-service possibility in strip_tags()</p>
+	  <p>Due to the behavior of the underlying HTMLParser,
+	    django.utils.html.strip_tags() would be extremely slow to evaluate
+	    certain inputs containing large sequences of nested incomplete HTML
+	    entities. The strip_tags() method is used to implement the corresponding
+	    striptags template filter, which was thus also vulnerable.</p>
+	  <p>strip_tags() now avoids recursive calls to HTMLParser when progress
+	    removing tags, but necessarily incomplete HTML entities, stops being
+	    made.</p>
+	  <p>Remember that absolutely NO guarantee is provided about the results of
+	    strip_tags() being HTML safe. So NEVER mark safe the result of a
+	    strip_tags() call without escaping it first, for example with
+	    django.utils.html.escape().</p>
+	  <p>CVE-2019-14234: SQL injection possibility in key and index lookups for
+	    JSONField/HStoreField</p>
+	  <p>Key and index lookups for JSONField and key lookups for HStoreField
+	    were subject to SQL injection, using a suitably crafted dictionary,
+	    with dictionary expansion, as the **kwargs passed to QuerySet.filter().</p>
+	  <p>CVE-2019-14235: Potential memory exhaustion in
+	    django.utils.encoding.uri_to_iri()</p>
+	  <p>If passed certain inputs, django.utils.encoding.uri_to_iri() could lead
+	    to significant memory usage due to excessive recursion when
+	    re-percent-encoding invalid UTF-8 octet sequences.</p>
+	  <p>uri_to_iri() now avoids recursion when re-percent-encoding invalid
+	    UTF-8 octet sequences.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://docs.djangoproject.com/en/1.11/releases/1.11.23/</url>
+      <url>https://docs.djangoproject.com/en/2.1/releases/2.1.11/</url>
+      <url>https://docs.djangoproject.com/en/2.2/releases/2.2.4/</url>
+      <cvename>CVE-2019-14232</cvename>
+      <cvename>CVE-2019-14233</cvename>
+      <cvename>CVE-2019-14234</cvename>
+      <cvename>CVE-2019-14235</cvename>
+    </references>
+    <dates>
+      <discovery>2019-08-01</discovery>
+      <entry>2019-08-03</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e7b69694-b3b5-11e9-9bb6-0800274e5f20">
     <topic>gitea -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-head mailing list