Bugzilla – Bug 1227595
VUL-0: CVE-2024-39614: python-Django: potential denial-of-service through django.utils.translation.get_supported_language_variant()
Last modified: 2024-07-17 18:15:05 UTC
CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() ======================================================================================================== ``get_supported_language_variant()`` was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to ``get_supported_language_variant()`` is now parsed up to a maximum length of 500 characters. Thanks to `MProgrammer <https://hackerone.com/mprogrammer>` for the report. This issue has severity "moderate" according to the Django security policy. Affected supported versions =========================== * Django main branch * Django 5.1 (currently at beta status) * Django 5.0 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() -------------------------------------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/9e9792228a6bb5d6402a5d645bc3be4cf364aefb * On the `5.1 branch < https://github.com/django/django/commit/e99ccc43429160828814a72067acf47f5fca9c94 * On the `5.0 branch < https://github.com/django/django/commit/8e7a44e4bec0f11474699c3111a5e0a45afe7f49 * On the `4.2 branch < https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 The following releases have been issued ======================================= * Django 5.0.7 (`download Django 5.0.7 <https://www.djangoproject.com/m/releases/5.0/Django-5.0.7.tar.gz>`_ | `5.0.7 checksums <https://www.djangoproject.com/m/pgp/Django-5.0.7.checksum.txt>`_) * Django 4.2.14 (`download Django 4.2.14 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.14.tar.gz>`_ | `4.2.14 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.14.checksum.txt>`_) The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E < https://github.com/nessita.gpg>`_ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39614 https://seclists.org/oss-sec/2024/q3/39 https://github.com/django/django/commit/9e9792228a6bb5d6402a5d645bc3be4cf364aefb https://github.com/django/django/commit/e99ccc43429160828814a72067acf47f5fca9c94 https://github.com/django/django/commit/8e7a44e4bec0f11474699c3111a5e0a45afe7f49 https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3
SUSE-SU-2024:2545-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1207565, 1227590, 1227593, 1227594, 1227595 CVE References: CVE-2023-23969, CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614 Maintenance Incident: [SUSE:Maintenance:34811](https://smelt.suse.de/incident/34811/) Sources used: openSUSE Leap 15.5 (src): python-Django-2.0.7-150000.1.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1227595) was mentioned in https://build.opensuse.org/request/show/1188243 Factory / python-Django