Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 892806 (CVE-2023-23969) - <dev-python/django-{3.2.17,4.0.9,4.1.6}: Potential denial-of-service via Accept-Language headers
Summary: <dev-python/django-{3.2.17,4.0.9,4.1.6}: Potential denial-of-service via Acce...
Alias: CVE-2023-23969
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: 892808 892810 892812
  Show dependency tree
Reported: 2023-02-01 11:40 UTC by Michał Górny
Modified: 2023-02-20 19:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-02-01 11:40:46 UTC
CVE-2023-23969: Potential denial-of-service via Accept-Language headers¶

The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the Accept-Language header is now parsed up to a maximum length.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-02-01 19:36:27 UTC
Cleanup done.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-20 19:41:38 UTC