Bugzilla – Bug 1142882
VUL-0: CVE-2019-14233: python-Django: Denial-of-service possibility in ``strip_tags()``
Last modified: 2020-05-04 07:45:26 UTC
Now public through https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ CVE-2019-14233: Denial-of-service possibility in strip_tags() Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().
This is an autogenerated message for OBS integration: This bug (1142882) was mentioned in https://build.opensuse.org/request/show/720189 Factory / python-Django https://build.opensuse.org/request/show/720190 Factory / python-Django1 https://build.opensuse.org/request/show/720192 15.1 / python-Django
openSUSE-SU-2019:1839-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: openSUSE Leap 15.1 (src): python-Django-2.2.4-lp151.2.3.1
openSUSE-SU-2019:1872-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: openSUSE Backports SLE-15-SP1 (src): python-Django-2.2.4-bp151.3.3.1
SUSE-SU-2019:2180-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1142880,1142882,1142883,1142885 CVE References: CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: SUSE OpenStack Cloud 7 (src): python-Django-1.8.19-3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2257-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud 8 (src): python-Django-1.11.23-3.12.1 HPE Helion Openstack 8 (src): python-Django-1.11.23-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released
SUSE-SU-2019:2335-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.23-3.9.1 SUSE OpenStack Cloud 9 (src): python-Django1-1.11.23-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.