ASA-202506-6 log generated external raw

[ASA-202506-6] python-django: content spoofing
Arch Linux Security Advisory ASA-202506-6 ========================================= Severity: Low Date : 2025-06-12 CVE-ID : CVE-2025-48432 Package : python-django Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2894 Summary ======= The package python-django before version 5.1.11-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 5.1.11-1. # pacman -Syu "python-django>=5.1.11-1" The problem has been fixed upstream in version 5.1.11. Workaround ========== None. Description =========== Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Impact ====== A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs. References ========== https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path https://docs.djangoproject.com/en/dev/releases/5.1.11/ https://security.archlinux.org/CVE-2025-48432

[ASA-202506-6] python-django: content spoofing

Arch Linux Security Advisory ASA-202506-6 ========================================= Severity: Low Date : 2025-06-12 CVE-ID : CVE-2025-48432 Package : python-django Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-2894 Summary ======= The package python-django before version 5.1.11-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 5.1.11-1. # pacman -Syu "python-django>=5.1.11-1" The problem has been fixed upstream in version 5.1.11. Workaround ========== None. Description =========== Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Impact ====== A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs. References ========== https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path https://docs.djangoproject.com/en/dev/releases/5.1.11/ https://security.archlinux.org/CVE-2025-48432