-
python-django (2:3.2.12-2ubuntu1.11) jammy-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:53:44 -0500
-
python-django (2:3.2.12-2ubuntu1.10) jammy-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 13:25:10 -0300
-
python-django (2:3.2.12-2ubuntu1.9) jammy-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:36:26 -0400
-
python-django (2:3.2.12-2ubuntu1.8) jammy-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:51:14 -0400
-
python-django (2:3.2.12-2ubuntu1.7) jammy-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:24:13 -0400
-
python-django (2:3.2.12-2ubuntu1.6) jammy-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:00:52 -0400
-
python-django (2:3.2.12-2ubuntu1.5) jammy-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:56:44 -0500
-
python-django (2:3.2.12-2ubuntu1.4) jammy-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:37:50 -0500
-
python-django (2:3.2.12-2ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:35:14 -0400
-
python-django (2:3.2.12-2ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Potential reflected file download
- debian/patches/CVE-2022-36359.patch: escaped filename in
Content-Disposition header in django/http/response.py,
tests/responses/test_fileresponse.py.
- CVE-2022-36359
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:12:17 -0300
-
python-django (2:3.2.12-2ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:29:53 -0300
-
python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400
-
python-django (2:3.2.12-2) unstable; urgency=medium
* Fix a traceback around the handling of RequestSite/get_current_site() due
to a circular import by backporting commit 78163d1a from upstream. Thanks
to Raphaƫl Hertzog for the report. (Closes: #1003478)
-- Chris Lamb <email address hidden> Tue, 22 Feb 2022 09:43:02 +0000
-
python-django (2:3.2.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
-- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:28:58 -0800
-
python-django (2:3.2.11-2) unstable; urgency=medium
[ Chris Lamb ]
* Fix compatibility with SQLite 3.37+. (Closes: #1004464)
[ Salman Mohammadi]
* Drop references to the deprecated python3-memcache package.
-- Chris Lamb <email address hidden> Fri, 28 Jan 2022 08:52:06 -0800
-
python-django (2:3.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
-- Chris Lamb <email address hidden> Tue, 04 Jan 2022 12:35:16 +0000
-
python-django (2:3.2.10-2) unstable; urgency=medium
* autopkgtest: give the tests names.
This allows to easily run any of them individually, and also is better
than having them called "command1" and "command2" in the autopkgtest
logs.
* Backport fixes for more Django ORM regressions.
Upstream issue: https://code.djangoproject.com/ticket/33282).
That regression affects src:lava in Debian.
The patches are:
- 0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch
- 0008-Refs-32690-Altered-lookups-Query-rhs-alterations-dur.patch
- 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch
-- Antonio Terceiro <email address hidden> Wed, 08 Dec 2021 15:11:52 -0300
-
python-django (2:3.2.10-1) unstable; urgency=medium
* New upstream release:
- CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths:
Full details are available here:
<https://www.djangoproject.com/weblog/2021/dec/07/security-releases/>
* Refresh patches.
-- Chris Lamb <email address hidden> Tue, 07 Dec 2021 07:46:51 -0800
-
python-django (2:3.2.9-2) unstable; urgency=medium
* Team upload.
* Fix __in lookup crash when combining with filtered aggregates.
Fix for: https://code.djangoproject.com/ticket/32690
This issue affects src:lava, where work is being done towards Django 3.2
compatibility.
Upstream patch from:
https://github.com/django/django/commit/136ff592ad8aa8b7fa1e61435e5501cc98ce8573
* Add Breaks: on lava-server << 2021.11 (Closes: #996931)
* Add Breaks: on python-django-pyscss << 2.0.2-10 (Closes: #983618)
-- Antonio Terceiro <email address hidden> Wed, 10 Nov 2021 11:22:48 -0300
-
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <email address hidden> Mon, 04 Oct 2021 10:56:57 -0300
