Created attachment 864468 [details]
patches

lru_cache has been added to `parse_accept_lang_header()` in v2.1 [0]. SUSE codestreams ship 1.11, and f1c007bbf2fcd4996e29f0482c32faf5df397aa0 has not been backported. SUSE codestreams are not affected.

[0] https://github.com/django/django/commit/f1c007bbf2fcd4996e29f0482c32faf5df397aa0

Public in oss-sec:

https://www.djangoproject.com/weblog/2023/feb/01/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing
`Django 4.1.6 <https://docs.djangoproject.com/en/dev/releases/4.1.6/>`_,
`Django 4.0.9 <https://docs.djangoproject.com/en/dev/releases/4.0.9/>`_, and
`Django 3.2.17 <https://docs.djangoproject.com/en/dev/releases/3.2.17/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================

The parsed values of ``Accept-Language`` headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.

Thanks to Nick Pope for the report and patch.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.2 (currently at pre-release alpha status)
* Django 4.1
* Django 4.0
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch and the
4.2, 4.1, 4.0, and 3.2 release branches. The patches may be obtained from the
following changesets:

* On the `main branch <https://github.com/django/django/commit/8c660fb59239828583f17cdede3b64f208b8752c>`__
* On the `4.2 release branch <https://github.com/django/django/commit/8a7b22d4a623bcd95190d2f5a958472fb41e576d>`__
* On the `4.1 release branch <https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942>`__
* On the `4.0 release branch <https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95>`__
* On the `3.2 release branch <https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a>`__

The following releases have been issued:

* Django 4.1.6 (`download Django 4.1.6 <https://www.djangoproject.com/m/releases/4.1/Django-4.1.6.tar.gz>`_ | `4.1.6 checksums <https://www.djangoproject.com/m/pgp/Django-4.1.6.checksum.txt>`_)
* Django 4.0.9 (`download Django 4.0.9 <https://www.djangoproject.com/m/releases/4.0/Django-4.0.9.tar.gz>`_ | `4.0.9 checksums <https://www.djangoproject.com/m/pgp/Django-4.0.9.checksum.txt>`_)
* Django 3.2.17 (`download Django 3.2.17 <https://www.djangoproject.com/m/releases/3.2/Django-3.2.17.tar.gz>`_ | `3.2.17 checksums <https://www.djangoproject.com/m/pgp/Django-3.2.17.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@djangoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.

Besides Tumbleweed, what other streams needs an update?

(In reply to Alberto Planas Dominguez from comment #6)
> Besides Tumbleweed, what other streams needs an update?

Backports codestreams:
- openSUSE:Backports:SLE-15-SP3:Update
- openSUSE:Backports:SLE-15-SP4:Update

Hi,
the information I have is that the supported versions for SOC 8 and SOC 9 are not impacted, thus not an issue for cloud-bugs.
Back tot he Security team.

TW has been updated to the new version, and the fix backported to openSUSE:Backports:SLE-15-SP{3,4}

IMHO this can be closed

This is an autogenerated message for OBS integration:
This bug (1207565) was mentioned in
https://build.opensuse.org/request/show/1062679 Backports:SLE-15-SP3 / python-Django
https://build.opensuse.org/request/show/1062680 Backports:SLE-15-SP4 / python-Django

(In reply to Alberto Planas Dominguez from comment #9)
> TW has been updated to the new version, and the fix backported to
> openSUSE:Backports:SLE-15-SP{3,4}
> 
> IMHO this can be closed

Thanks Alberto! Closing

openSUSE-SU-2023:0057-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1203793,1207565
CVE References: CVE-2022-41323,CVE-2023-23969
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    python-Django-2.2.28-bp154.2.6.1

This is an autogenerated message for OBS integration:
This bug (1207565) was mentioned in
https://build.opensuse.org/request/show/1097960 Backports:SLE-15-SP5 / python-Django

openSUSE-SU-2023:0178-1: An update that fixes four vulnerabilities is now available.\n\nCategory: security (moderate)\nBug References: 1203793,1207565,1208082,1212742\nCVE References: CVE-2022-41323,CVE-2023-23969,CVE-2023-24580,CVE-2023-36053\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    python-Django-2.2.28-bp155.7.3.1\n\n

SUSE-SU-2024:2545-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1207565, 1227590, 1227593, 1227594, 1227595
CVE References: CVE-2023-23969, CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614
Maintenance Incident: [SUSE:Maintenance:34811](https://smelt.suse.de/incident/34811/)
Sources used:
openSUSE Leap 15.5 (src):
 python-Django-2.0.7-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

This bug has been reopened as it seems like openSUSE:Backports:SLE-15-SP5/python-Django is still affected by this issue.

(In reply to Camila Camargo de Matos from comment #21)
> This bug has been reopened as it seems like
> openSUSE:Backports:SLE-15-SP5/python-Django is still affected by this issue.

Hi Camargo,

I can see the fix in openSUSE:Backports:SLE-15-SP5/python-Django:

https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP5:Update/python-Django.18324

(see fix-cve-2023-23969.patch and the changelog)

"""
-------------------------------------------------------------------
Thu Feb  2 15:48:01 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>

- Add fix-cve-2023-23969.patch (bsc#1207565, CVE-2023-23969)
"""

(In reply to Alberto Planas Dominguez from comment #22)
> (In reply to Camila Camargo de Matos from comment #21)
> > This bug has been reopened as it seems like
> > openSUSE:Backports:SLE-15-SP5/python-Django is still affected by this issue.
> 
> Hi Camargo,
> 
> I can see the fix in openSUSE:Backports:SLE-15-SP5/python-Django:
> 
> https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP5:Update/
> python-Django.18324
> 
> (see fix-cve-2023-23969.patch and the changelog)
> 
> """
> -------------------------------------------------------------------
> Thu Feb  2 15:48:01 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>
> 
> - Add fix-cve-2023-23969.patch (bsc#1207565, CVE-2023-23969)
> """

My apologies, it was a mistake on my part then. Thanks for the information!

All done, closing.

This is an autogenerated message for OBS integration:
This bug (1207565) was mentioned in
https://build.opensuse.org/request/show/1189777 Backports:SLE-15-SP5 / python-Django

This is an autogenerated message for OBS integration:
This bug (1207565) was mentioned in
https://build.opensuse.org/request/show/1192621 Backports:SLE-15-SP5 / python-Django