Accepted python-django 2:3.2.12-1~bpo11+1 (source all) into bullseye-backports
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Feb 2022 09:51:31 -0800
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:3.2.12-1~bpo11+1
Distribution: bullseye-backports
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework
Closes: 1003113 1004464 1004752
Changes:
python-django (2:3.2.12-1~bpo11+1) bullseye-backports; urgency=medium
.
* Rebuild for bullseye-backports.
.
python-django (2:3.2.12-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
.
python-django (2:3.2.11-2) unstable; urgency=medium
.
[ Chris Lamb ]
* Fix compatibility with SQLite 3.37+. (Closes: #1004464)
.
[ Salman Mohammadi]
* Drop references to the deprecated python3-memcache package.
.
[ Mattia Rizzolo ]
* Add a Breaks against python3-django-countries (<< 7,1~).
* Add a Breaks against python3-django-tables2 (<< 2.3.4) (see #985774).
.
python-django (2:3.2.11-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
Checksums-Sha1:
3fce32b5190c1a53726509796a881cceed2731e6 2839 python-django_3.2.12-1~bpo11+1.dsc
93f6c3f0fd89f5c5a44dee688e752a258900a54e 9812448 python-django_3.2.12.orig.tar.gz
15772d200a135f0b3f24688863350204a919f1a8 35592 python-django_3.2.12-1~bpo11+1.debian.tar.xz
d0abe56beebac536df6c95cb0e43208a0f46ea07 2839248 python-django-doc_3.2.12-1~bpo11+1_all.deb
b2e3bc236870f8157485b5e25b248d7350d38852 8109 python-django_3.2.12-1~bpo11+1_amd64.buildinfo
27512f8d30ba77df565d04609c061b0373d965ef 2838388 python3-django_3.2.12-1~bpo11+1_all.deb
Checksums-Sha256:
ec557b611ba293a0b5dbb9c3a1ace1b21efa34e979caaf048edb3b5a7d047daa 2839 python-django_3.2.12-1~bpo11+1.dsc
9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2 9812448 python-django_3.2.12.orig.tar.gz
2ba0392c4942686cd254463bd50d28aa66b2b2e91a3ce3a432b2798cd8148ddd 35592 python-django_3.2.12-1~bpo11+1.debian.tar.xz
921c1b88fc5d819159aca6c64925516c84fad952a36bd7dcb2783f7200934afe 2839248 python-django-doc_3.2.12-1~bpo11+1_all.deb
896b8518c90ef3d76fb6912010a469f53c1e9d244669054e81fad15457ecc41b 8109 python-django_3.2.12-1~bpo11+1_amd64.buildinfo
849e8fcda874bfe7078f3191a22dcafaad08cfb264fcf1e454a9aa457ff55373 2838388 python3-django_3.2.12-1~bpo11+1_all.deb
Files:
52bd7ede15de126c99580348b0e522f9 2839 python optional python-django_3.2.12-1~bpo11+1.dsc
1847b2f286930a9d84e820a757e3a7ec 9812448 python optional python-django_3.2.12.orig.tar.gz
af05701390efb3062760c427ed3ec8b6 35592 python optional python-django_3.2.12-1~bpo11+1.debian.tar.xz
faa700463beea2d4aa5c1084347a0cff 2839248 doc optional python-django-doc_3.2.12-1~bpo11+1_all.deb
1d7aee766019259949cebe13e54c2c8b 8109 python optional python-django_3.2.12-1~bpo11+1_amd64.buildinfo
cfc1ef4264feb0b0cac51d74c1788484 2838388 python optional python3-django_3.2.12-1~bpo11+1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmIP3b8ACgkQHpU+J9Qx
Hlh6BQ//SLXVJ7XWLeJ8R+6GwTcoSxIdpcVl9EZUzFtCFYKrWqlXqCC2OBKE+UGW
4Wl+hIrl9UHPvRm9xK4vO+wOwJTloYOFPrgSBJSVTkI2ty4yG/bw0Nwc8ZRKg9TV
xG1b3FG5u84GeZBlgnWXJmlzB6NPMu9gA9uFu/qPvlF937XevaJmkVSiLK+GEsNd
9lR//4LUTl9gruVwVrodu65hKvdCEX0XzrUaA5mEMFoGD/pesD899GKC0CcxiTBW
UUc470jvlFIQQGwep/UP1aTL6KJKklLbyFtctoLqYqcczg7e0FQjtjIEFD7xKElW
YGCNdRN7NR0MV/8vcIFnKKbrO6tBfvARk0KUT9PbHv7WeGBMwc1LFNaV72veDfAM
qBWeW4tTVsxksqfWpE46FFNkJxkxR/YwDabby9XmfJshEW8085FL3DWyOKGBBsU1
PFJDxAQT047q58SYY/hSMYFsKJPjMI+MA2kVCZ6Eisp9TLXcNxfroViMefn/qEqR
NSjHxAiAstda0EBcMAvD7N5yeCEsynArmAgE+0GXGO1f5QfWNB/5Jq8vOd1EjQud
PtiuoAOYEh7Jmhf0nbm/0hjj1pCVVWHP5NWcNP2vFYUJPrPuj00IzuzaMsxgXNIE
8UBzy6HQ8Afj+iDUaBAPTB0WxDzePQg31hwyEdwa0j1lktSLRgU=
=xWtt
-----END PGP SIGNATURE-----
Reply to: