=====================================================================

                              CERT-Renater

                   Note d'Information No. 2022/VULN356

_____________________________________________________________________

DATE                : 06/10/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Django versions prior to 4.1.2,
                                    4.0.8, 3.2.16.

=====================================================================
https://www.djangoproject.com/weblog/2022/oct/04/security-releases/
_____________________________________________________________________

Django security releases issued: 4.1.2, 4.0.8, and 3.2.16
Posted by Carlton Gibson on octobre 4, 2022
In accordance with our security release policy, the Django team is
issuing Django 4.1.2, Django 4.0.8, and Django 3.2.16. These
releases addresses the security issue detailed below. We encourage
all users of Django to upgrade as soon as possible.

CVE-2022-41323: Potential denial-of-service vulnerability in
internationalized URLs

Internationalized URLs were subject to potential denial of service
attack via the locale parameter. This is now escaped to avoid this
possibility.

This issue has medium severity, according to the Django security
policy.


Thanks to Benjamin Balder Bach for the report.


Affected supported versions
Django main branch
Django 4.1
Django 4.0
Django 3.2


Resolution
Patches to resolve the issue have been applied to Django's
main branch and the 4.1, 4.0, and 3.2 release branches. The
patches may be obtained from the following changesets:

On the main branch
On the 4.1 release branch
On the 4.0 release branch
On the 3.2 release branch


The following releases have been issued:

Django 4.1.2 (download Django 4.1.2 | 4.1.2 checksums)
Django 4.0.8 (download Django 4.0.8 | 4.0.8 checksums)
Django 3.2.16 (download Django 3.2.16 | 3.2.16 checksums)
The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
As always, we ask that potential security issues be reported
via private email to security@djangoproject.com, and not via
Django's Trac instance or the django-developers list. Please
see our security policies for further information.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================