Debian Security Advisory
DLA-3306-1 python-django -- LTS security update
- Date Reported:
- 01 Feb 2023
- Affected Packages:
- python-django
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-23969.
- More information:
-
It was discovered that there was a potential Denial of Service (DoS) vulnerability in Django, a popular Python-based web development framework.
Parsed values of the
Accept-Language
HTTP headers are cached by Django order to avoid repetitive parsing. This could have led to a potential denial-of-service attack via excessive memory usage if the raw value ofAccept-Language
headers was very large.Accept-Language
headers are now limited to a maximum length specifically in order to avoid this issue.For Debian 10
Buster
, this problem has been fixed in version 1:1.11.29-1+deb10u6.We recommend that you upgrade your python-django packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS