-
python-django (3:3.2.15-1ubuntu1.4) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:23:46 -0400
-
python-django (3:3.2.15-1ubuntu1.3) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:58:35 -0400
-
python-django (3:3.2.15-1ubuntu1.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:53:34 -0500
-
python-django (3:3.2.15-1ubuntu1.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:35:46 -0500
-
python-django (3:3.2.15-1ubuntu1) kinetic; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Wed, 05 Oct 2022 08:08:25 -0400
-
python-django (3:3.2.15-1) unstable; urgency=high
* New upstream security release.
- CVE-2022-36359: Potential reflected file download vulnerability in
FileResponse. An application may have been vulnerable to a reflected file
download (RFD) attack that sets the Content-Disposition header of a
FileResponse when the filename was derived from user-supplied input. The
filename is now escaped to avoid this possibility.
<https://www.djangoproject.com/weblog/2022/aug/03/security-releases/>
-- Chris Lamb <email address hidden> Wed, 03 Aug 2022 07:11:45 -0700
-
python-django (3:3.2.14-1) unstable; urgency=medium
* Revert Debian unstable to 3.2.x LTS release stream, bumping epoch.
(Closes: #1016090)
* Refresh patches.
* Bump Standards-Version to 4.6.1.
-- Chris Lamb <email address hidden> Tue, 02 Aug 2022 09:02:41 -0700
-
python-django (2:4.0.6-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments.
"Trunc() and Extract() database functions were subject to SQL injection if
untrusted data was used as a kind/lookup_name value. Applications that
constrain the lookup name and kind choice to a known safe list are
unaffected."
"This security release mitigates the issue, but we have identified
improvements to the Database API methods related to date extract and
truncate that would be beneficial to add to Django 4.1 before it's final
release. This will impact 3rd party database backends using Django 4.1
release candidate 1 or newer, until they are able to update to the API
changes. We apologize for the inconvenience."
<https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>
* Refresh patches.
-- Chris Lamb <email address hidden> Tue, 05 Jul 2022 12:38:15 +0100
-
python-django (2:4.0.5-2) unstable; urgency=medium
[ Lena Voytek ]
* Add updated version of SQLite 3.37+ / test_custom_fields patch.
(Closes: #1012784)
[ Chris Lamb ]
* Add debian/gitlab-ci.yml.
- Allow some elements of the pipeline to fail.
-- Chris Lamb <email address hidden> Thu, 16 Jun 2022 08:00:35 +0100
-
python-django (2:4.0.5-1) unstable; urgency=medium
* Upload 4.x stable release stream to unstable using the 4.0.5 bugfix
release. (The 4.x stream has been in experimental since September 2021.)
* Update debian/gbp.conf and debian/watch to match new version series.
* Update patches.
* No need to delete django-admin.py script anymore; does not exist in 4.x.
-- Chris Lamb <email address hidden> Mon, 06 Jun 2022 12:31:50 +0100
-
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra().
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
on PostgreSQL.
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
for more info.
-- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200
-
python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400
