StarlingX

[Debian] Medium CVE: CVE-2025-26699 python-django: a potential denial-of-service attack

Bug #2103669 reported by Yue Tao on 2025-03-20

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Unassigned

Bug Description

CVE-2025-26699: https://nvd.nist.gov/vuln/detail/CVE-2025-26699

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

Base Score: Medium

Reference:

['python3-django_2.2.28-1~deb11u4_all.deb===>python3-django_2:2.2.28-1~deb11u6_all.deb']
https://security-tracker.debian.org/tracker/DLA-4086-1

Tags:

CVE References

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-05-22: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/950662

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-06-04: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/950662
Committed: https://opendev.org/starlingx/tools/commit/44ba325d9ab939161a4401b4bf05e72d6c8aa4be
Submitter: "Zuul (22348)"
Branch: master

commit 44ba325d9ab939161a4401b4bf05e72d6c8aa4be
Author: Joao Tognolli Jr <email address hidden>
Date: Thu May 22 11:32:40 2025 -0300

Debian: python3-django: fix multiple CVEs

Upgrade python3-django to 2.2.28-1~deb11u6

CVE-2025-26699: https://nvd.nist.gov/vuln/detail/CVE-2025-26699
CVE-2024-56374: https://nvd.nist.gov/vuln/detail/CVE-2024-56374

    https://security-tracker.debian.org/tracker/DLA-4086-1
    https://www.tenable.com/plugins/nessus/232990
    https://security-tracker.debian.org/tracker/DLA-4030-1
    https://www.tenable.com/plugins/nessus/214548

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image
    PASS: install on SX-lab (VBox)

Closes-Bug: 2103669
Closes-Bug: 2096622

Change-Id: Icad99b441c874dd298460d4c256693fc7231aa17
Signed-off-by: Joao Tognolli Jr <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.