1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1107282: python-django: CVE-2025-48432 -- Potential log injection v

    From Chris Lamb@21:1/5 to All on Wed Jun 4 17:20:01 2025
    Package: python-django
    Version: 2:2.2.28-1~deb11u6
    X-Debbugs-CC: team@security.debian.org
    Severity: grave
    Tags: security

    Hi,

    The following vulnerability was published for python-django.

    CVE-2025-48432[0]: Potential log injection via unescaped request path

    Internal HTTP response logging used `request.path` directly,
    allowing control characters (e.g. newlines or ANSI escape
    sequences) to be written unescaped into logs. This could enable
    log injection or forgery, letting attackers manipulate log
    appearance or structure, especially in logs processed by external
    systems or viewed in terminals.

    Although this does not directly impact Django's security model, it
    poses risks when logs are consumed or interpreted by other tools.
    To fix this, the internal `django.utils.log.log_response()`
    function now escapes all positional formatting arguments using a
    safe encoding.

    More info:

    https://www.djangoproject.com/weblog/2025/jun/04/security-releases/


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-48432
    https://www.cve.org/CVERecord?id=CVE-2025-48432


    Regards,

    --
    ,''`.
    : :' : Chris Lamb
    `. `'` lamby@debian.org / chris-lamb.co.uk
    `-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Wed Jun 4 18:00:01 2025
    This is a multi-part message in MIME format...

    Your message dated Wed, 04 Jun 2025 15:51:36 +0000
    with message-id <E1uMqOu-004krB-Uw@fasolo.debian.org>
    and subject line Bug#1107282: fixed in python-django 3:5.2.2-1
    has caused the Debian Bug report #1107282,
    regarding python-django: CVE-2025-48432 -- Potential log injection via unescaped request path
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1107282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107282
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 4 Jun 2025 15:08:56 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-16.7 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,FOURLA,FROMDEVELOPER,
    HAS_PACKAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_NONE autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 31; hammy, 150; neutral, 81; spammy,
    0. spammytokens: hammytokens:0.000-+--HX-ME-Sender:xms,
    0.000-+--U*lamby, 0.000-+--sk:lamby@d, 0.000-+--sk:lambyd,
    0.000-+--lambydebianorg
    Return-path: <lamby@debian.org>
    Received: from fout-b2-smtp.messagingengine.com ([202.12.124.145]:38735)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM
  • From Debian Bug Tracking System@21:1/5 to All on Wed Jun 4 23:30:01 2025
    This is a multi-part message in MIME format...

    Your message dated Wed, 04 Jun 2025 21:19:22 +0000
    with message-id <E1uMvW6-005sHj-3X@fasolo.debian.org>
    and subject line Bug#1107282: fixed in python-django 3:4.2.22-1
    has caused the Debian Bug report #1107282,
    regarding python-django: CVE-2025-48432 -- Potential log injection via unescaped request path
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1107282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107282
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 4 Jun 2025 15:08:56 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-16.7 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,FOURLA,FROMDEVELOPER,
    HAS_PACKAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_NONE autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 31; hammy, 150; neutral, 81; spammy,
    0. spammytokens: hammytokens:0.000-+--HX-ME-Sender:xms,
    0.000-+--U*lamby, 0.000-+--sk:lamby@d, 0.000-+--sk:lambyd,
    0.000-+--lambydebianorg
    Return-path: <lamby@debian.org>
    Received: from fout-b2-smtp.messagingengine.com ([202.12.124.145]:38735)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM