Django: CVE-2023-23969: Potential denial-of-service via Accept-Language headers.

[Mariusz Felisiak <felisiak.mariusz () gmail com>]

https://www.djangoproject.com/weblog/2023/feb/01/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team
is issuing
`Django 4.1.6 <https://docs.djangoproject.com/en/dev/releases/4.1.6/>`_,
`Django 4.0.9 <https://docs.djangoproject.com/en/dev/releases/4.0.9/>`_, and
`Django 3.2.17 <https://docs.djangoproject.com/en/dev/releases/3.2.17/>`_.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================

The parsed values of ``Accept-Language`` headers are cached in order to 
avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.

Thanks to Nick Pope for the report and patch.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.2 (currently at pre-release alpha status)
* Django 4.1
* Django 4.0
* Django 3.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and the
4.2, 4.1, 4.0, and 3.2 release branches. The patches may be obtained 
from the
following changesets:

* On the `main branch 
<https://github.com/django/django/commit/8c660fb59239828583f17cdede3b64f208b8752c>`__
* On the `4.2 release branch 
<https://github.com/django/django/commit/8a7b22d4a623bcd95190d2f5a958472fb41e576d>`__
* On the `4.1 release branch 
<https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942>`__
* On the `4.0 release branch 
<https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95>`__
* On the `3.2 release branch 
<https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a>`__

The following releases have been issued:

* Django 4.1.6 (`download Django 4.1.6 
<https://www.djangoproject.com/m/releases/4.1/Django-4.1.6.tar.gz>`_ | 
`4.1.6 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.1.6.checksum.txt>`_)
* Django 4.0.9 (`download Django 4.0.9 
<https://www.djangoproject.com/m/releases/4.0/Django-4.0.9.tar.gz>`_ | 
`4.0.9 checksums 
<https://www.djangoproject.com/m/pgp/Django-4.0.9.checksum.txt>`_)
* Django 3.2.17 (`download Django 3.2.17 
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.17.tar.gz>`_ | 
`3.2.17 checksums 
<https://www.djangoproject.com/m/pgp/Django-3.2.17.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: 
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.