-
python-django (3:3.2.18-1ubuntu0.5) lunar-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:00:07 -0400
-
python-django (3:3.2.18-1ubuntu0.4) lunar-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:39:57 -0400
-
python-django (3:3.2.18-1ubuntu0.3) lunar-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
* debian/patches/fix-url-validator.patch: Cherry-pick upstream commit to
fix URLValidator crash in some edge cases (LP: #2025155)
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:18:49 -0400
-
python-django (3:3.2.18-1ubuntu0.1) lunar-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
-
python-django (3:3.2.18-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
Passing certain inputs to multipart forms could result in too many open
files or memory exhaustion, and provided a potential vector for a
denial-of-service attack.
The number of files parts parsed is now limited via the new
DATA_UPLOAD_MAX_NUMBER_FILES setting.
Thanks to Jakob Ackermann for the report. (Closes: #1031290)
-- Chris Lamb <email address hidden> Tue, 14 Feb 2023 09:12:57 -0800
-
python-django (3:3.2.17-1) unstable; urgency=medium
* New security upstream release.
<https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>
- CVE-2023-23969: Potential denial-of-service via Accept-Language headers
The parsed values of Accept-Language headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector
via excessive memory usage if large header values are sent.
In order to avoid this vulnerability, the Accept-Language header is now
parsed up to a maximum length. (Closes: #1030251)
* Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch;
applied upstream.
* Refresh all patches.
-- Chris Lamb <email address hidden> Wed, 01 Feb 2023 08:01:01 -0800
-
python-django (3:3.2.16-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Wed, 01 Feb 2023 09:35:23 -0500
-
python-django (3:3.2.16-1ubuntu1) lunar; urgency=medium
* d/p/0012-Add-Python-3.11-support-for-tests.patch: Make unit tests
compatible with Python 3.11 to fix build errors (LP: #2002012)
-- Lena Voytek <email address hidden> Fri, 06 Jan 2023 11:02:03 -0700
-
python-django (3:3.2.16-1) unstable; urgency=high
* New upstream security release.
<https://www.djangoproject.com/weblog/2022/oct/04/security-releases/>
- CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
internationalized URLs. Internationalised URLs were subject to potential
denial of service attack via the locale parameter. This is now escaped to
avoid this possibility.
-- Chris Lamb <email address hidden> Tue, 04 Oct 2022 07:51:21 -0700
-
python-django (3:3.2.15-1ubuntu1) kinetic; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Wed, 05 Oct 2022 08:08:25 -0400