Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 945889 (CVE-2024-53907, CVE-2024-53908)

Summary: <dev-python/django-{5.1.4,5.0.10,4.2.17}: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 945903, 945904, 945905    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-12-05 04:30:29 UTC 
CVE-2024-53907: Denial-of-service possibility in strip_tags()

strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now has an upper limit of recursive calls to HTMLParser before raising a SuspiciousOperation exception.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().


CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data was used as a lhs value.

Applications that use the has_key lookup through the __ syntax are unaffected.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-12-05 12:00:21 UTC 
cleanup done.