Accepted python-django 1:1.10.7-2+deb9u14 (source all) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted python-django 1:1.10.7-2+deb9u14 (source all) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 05 Jun 2021 10:00:14 +0000
Message-id: <[🔎] E1lpT6E-0004Sb-LN@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Jun 2021 10:40:51 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u14
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 989394
Changes:
 python-django (1:1.10.7-2+deb9u14) stretch-security; urgency=high
 .
   * Upload from the LTS security team. (Closes: #989394)
   * CVE-2021-33203: Potential directory traversal via admindocs
 .
     Staff members could use the admindocs TemplateDetailView view to
     check the existence of arbitrary files. Additionally, if (and only
     if) the default admindocs templates have been customized by the
     developers to also expose the file contents, then not only the
     existence but also the file contents would have been exposed.
 .
     As a mitigation, path sanitation is now applied and only files
     within the template root directories can be loaded.
 .
     This issue has low severity, according to the Django security
     policy.
 .
     Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
     the CodeQL Python team for the report.
 .
   * CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
     since validators accepted leading zeros in IPv4 addresses
 .
     URLValidator, validate_ipv4_address(), and
     validate_ipv46_address() didn't prohibit leading zeros in octal
     literals. If you used such values you could suffer from
     indeterminate SSRF, RFI, and LFI attacks.
 .
     validate_ipv4_address() and validate_ipv46_address() validators
     were not affected on Python 3.9.5+.
 .
     This issue has medium severity, according to the Django security
     policy.
Checksums-Sha1:
 1cd5fef0141e6414ce35b6583adb609b5d17117b 2824 python-django_1.10.7-2+deb9u14.dsc
 7dbe5ec1ef9177706bd0b2d6c1cc10733b9b1d61 55612 python-django_1.10.7-2+deb9u14.debian.tar.xz
 c1ea0412a8557d8329646f655dcbe8837f242cd5 1516534 python-django-common_1.10.7-2+deb9u14_all.deb
 5d3c7a855c4547528d7dcdb7063991ee4899d011 2538568 python-django-doc_1.10.7-2+deb9u14_all.deb
 0fb3266cf92ce2a74159d97bcbf4812e048f1ce4 907280 python-django_1.10.7-2+deb9u14_all.deb
 d6a8b2f6325384a0abb019bf4937a74e55ed6d79 9498 python-django_1.10.7-2+deb9u14_amd64.buildinfo
 6b8c28a954a53769c3e8b042dfdd0b7a3609eae4 888928 python3-django_1.10.7-2+deb9u14_all.deb
Checksums-Sha256:
 376c61d417c8f8581e77bc6fcb73a2e481b3cc67603d9298024f907274441f4e 2824 python-django_1.10.7-2+deb9u14.dsc
 2aebea7974daa25fdda20314696ad78231dc26196603ee7ef3f1697dfd4a2f5a 55612 python-django_1.10.7-2+deb9u14.debian.tar.xz
 33256fc2ab6a01a3be3072917c43740173b6d1e694ac70594f792b05a87997ec 1516534 python-django-common_1.10.7-2+deb9u14_all.deb
 579af8e075a87033c2288fa7f7c7df95bda39f79d7634f4c7b8fe8e21d7fb3e8 2538568 python-django-doc_1.10.7-2+deb9u14_all.deb
 b34cfb641dc4a72f5ba3e4ca4e72d7f5646c0f9edfe052b8636434b70af37e23 907280 python-django_1.10.7-2+deb9u14_all.deb
 8a7c6138ace6f396a8dc9ccfe1d43f70603c758f1f1c2ca6d900a217722a30c3 9498 python-django_1.10.7-2+deb9u14_amd64.buildinfo
 74c9695ac7b7de86a711e68b2b52f7dabdf4687dfc1aa901bc236aae5637fa56 888928 python3-django_1.10.7-2+deb9u14_all.deb
Files:
 41461a30449a245419751b0aa44456c6 2824 python optional python-django_1.10.7-2+deb9u14.dsc
 4f717e1d5c4d7ac509067a2748a0f054 55612 python optional python-django_1.10.7-2+deb9u14.debian.tar.xz
 f0ab6ee4537f0dd3c5a1f2af103edb2c 1516534 python optional python-django-common_1.10.7-2+deb9u14_all.deb
 5620808616ba1190bdf1d9e14c4430aa 2538568 doc optional python-django-doc_1.10.7-2+deb9u14_all.deb
 ce6c8d7a57ed59428c6a7d6297f98268 907280 python optional python-django_1.10.7-2+deb9u14_all.deb
 33e2344c86f12f00d921aa4b9316bb15 9498 python optional python-django_1.10.7-2+deb9u14_amd64.buildinfo
 a1e7be2e298c55b5fc31b97e5186b6cb 888928 python optional python3-django_1.10.7-2+deb9u14_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC7SsAACgkQHpU+J9Qx
HlhhpA/7BWz2NTMXIP4YZVRv8wCDc6bkYabuyvAQ8utY3mTihsr+ygEkuiSSDRd/
rcQ1GNwIA3xw6dnaPrtDMrVQYu6mgaO3ZF2RJtl0R/tcUcIUa9hTW+f8T1YSGMk9
tGFieXwoVTNF+8bIKCARo1g3AoQzyCaKZi415oZCmxXb7L539cBv6St+X9hbhUnC
+RqAwgVtP49MTjJZvEWbqAsmlZBYYbVw6x4caayNNSWswp/iNL1gj8bylAYs3A9/
ZR5UahcivLY/t/WJ3sXYLo0mG7B8jboP+Ec4wgQpnhVGgCZ4nMz5PejLzqPSC1L+
AWXnOQS/hfk21CCOH2Ru2WwIHTfQ1340bhiKD3eA0XL+qz2Z16eELy4Dyt0Vmh8u
wfRJEssWNHVxYklt05bDrI29v0m/7smu9BAvqqRHWmqG6CR6g52P2OUIXFtFEgA4
FFNbi5EjZwbhpgBS1gpuifUxxCwV5IdESSRrQKCGszrcocStUD7tIbm+fOdUodKi
X2NREJTqhU72q0cZ3DgayiCAcmjesTLqfL6r56ovzim/zwlvcEwtCre1yII2AC7v
HM+HIbBAy/39KFMOtT+/93OlHOFy9yB068cDelPIJWcgJ1UMQeuqJ7c68aFK/v4k
Ca3tbHFQJ2csUXyxnHOddVQDu+oGgRL1yzAon1oWzTr58hY8r3g=
=E4/X
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted caribou 0.4.21-1+deb9u1 (source) into oldstable
Next by Date: Accepted libwebp 0.5.2-1+deb9u1 (source) into oldstable
Previous by thread: Accepted caribou 0.4.21-1+deb9u1 (source) into oldstable
Next by thread: Accepted libwebp 0.5.2-1+deb9u1 (source) into oldstable
Index(es):
- Date
- Thread