USN-6946-1: Django vulnerabilities

Releases

• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• python-django - High-level Python web development framework

Details

It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)

It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)

It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)

It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04
LTS. (CVE-2024-42005)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.04

• python3-django - 3:4.2.11-1ubuntu1.2

Ubuntu 22.04

• python3-django - 2:3.2.12-2ubuntu1.13

Ubuntu 20.04

• python3-django - 2:2.2.12-1ubuntu0.24

Ubuntu 18.04

• python-django - 1:1.11.11-1ubuntu1.21+esm6
  Available with Ubuntu Pro
• python3-django - 1:1.11.11-1ubuntu1.21+esm6
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-41990
• CVE-2024-42005
• CVE-2024-41989
• CVE-2024-41991