diff -Nru graphite-web-1.0.2+debian/debian/changelog graphite-web-1.0.2+debian/debian/changelog --- graphite-web-1.0.2+debian/debian/changelog 2023-07-19 17:08:55.000000000 +0100 +++ graphite-web-1.0.2+debian/debian/changelog 2023-08-09 11:22:45.000000000 +0100 @@ -1,3 +1,11 @@ +graphite-web (1.0.2+debian-2ubuntu0.1~esm2) bionic-security; urgency=medium + + * SECURITY REGRESSION: Denial of Service + - debian/patches/CVE-2022-4728-fixed-regression.patch: fixed regression in + renderView function introduced in CVE-2022-4728.patch + + -- Amir Naseredini Wed, 09 Aug 2023 11:22:45 +0100 + graphite-web (1.0.2+debian-2ubuntu0.1~esm1) bionic-security; urgency=medium * SECURITY UPDATE: XSS diff -Nru graphite-web-1.0.2+debian/debian/patches/CVE-2022-4728-fixed-regression.patch graphite-web-1.0.2+debian/debian/patches/CVE-2022-4728-fixed-regression.patch --- graphite-web-1.0.2+debian/debian/patches/CVE-2022-4728-fixed-regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphite-web-1.0.2+debian/debian/patches/CVE-2022-4728-fixed-regression.patch 2023-08-09 11:22:23.000000000 +0100 @@ -0,0 +1,57 @@ +From 619a6210c9b6f6978a2f5aa37365a00b7af0bc57 Mon Sep 17 00:00:00 2001 +From: Mauro Stettler +Date: Wed, 31 Jul 2019 14:27:13 -0400 +Subject: [PATCH] add customer input parameter error and handle it in the + render view + +--- + webapp/graphite/render/views.py | 17 +++++++++++++- + webapp/graphite/dashboard/views.py | 2 +- + + 2 files changed, 17 insertions(+), 2 deletion(-) + +index 27790b457..227bcf6df 100755 +--- a/webapp/graphite/render/views.py ++++ b/webapp/graphite/render/views.py +@@ -34,7 +35,7 @@ + from graphite.render.hashing import hashRequest, hashData + from graphite.render.glyph import GraphTypes + +-from django.http import HttpResponseServerError, HttpResponseRedirect ++from django.http import HttpResponseServerError, HttpResponseRedirect, HttpResponseBadRequest + from django.template import Context, loader + from django.core.cache import cache + from django.core.exceptions import ObjectDoesNotExist +@@ -46,6 +47,21 @@ + from django.utils.cache import add_never_cache_headers, patch_response_headers + + ++class InputParameterError(ValueError): ++ pass ++ ++ ++def handleInputParameterError(f): ++ def new_f(*args, **kwargs): ++ try: ++ return f(*args, **kwargs) ++ except InputParameterError as e: ++ return HttpResponseBadRequest('Bad Request: {err}'.format(err=e)) ++ ++ return new_f ++ ++ ++@handleInputParameterError + def renderView(request): + start = time() + (graphOptions, requestOptions) = parseOptions(request) +--- a/webapp/graphite/dashboard/views.py ++++ b/webapp/graphite/dashboard/views.py +@@ -16,7 +16,7 @@ from graphite.dashboard.send_graph impor + from django.utils.safestring import mark_safe + from graphite.compat import HttpResponse + from graphite.dashboard.models import Dashboard, Template +-from graphite.render.views import renderView ++from graphite.render.views import handleInputParameterError, renderView + from send_graph import send_graph_email + from graphite.util import htmlEscape, is_unsafe_str + diff -Nru graphite-web-1.0.2+debian/debian/patches/series graphite-web-1.0.2+debian/debian/patches/series --- graphite-web-1.0.2+debian/debian/patches/series 2023-07-19 17:08:40.000000000 +0100 +++ graphite-web-1.0.2+debian/debian/patches/series 2023-08-09 11:22:23.000000000 +0100 @@ -2,3 +2,4 @@ settings_debian.patch CVE-2017-18638.patch CVE-2022-4728.patch +CVE-2022-4728-fixed-regression.patch