SB20250328106 - Anolis OS update for python-django

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2024-24680)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in intcomma template filter. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Inefficient regular expression complexity (CVE-ID: CVE-2024-27351)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in django.utils.text.Truncator.words(). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

3) Resource management error (CVE-ID: CVE-2019-14232)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of truncatechars_html and truncatewords_html template filters in django.utils.text.Truncator during evaluation of HTML content. A remote attacker can pass large content in HTML format to the application and trigger resource exhaustion.

4) Resource exhaustion (CVE-ID: CVE-2023-43665)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the chars() and words() methods. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2024:0449