-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 03 Sep 2024 12:23:16 +0100
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 3:4.2.15-1~bpo12+1
Distribution: bookworm-backports
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework
Closes: 1037920 1040225 1051226 1076069 1078074
Changes:
python-django (3:4.2.15-1~bpo12+1) bookworm-backports; urgency=medium
.
* Rebuild for bookworm-backports.
.
python-django (3:4.2.15-1) unstable; urgency=high
.
* New upstream security release. (Closes: #1078074)
.
- CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
.
The floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
.
- CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
.
The urlize() and urlizetrunc() template filters are subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
.
- CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
.
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
widget, are subject to a potential denial-of-service attack via certain
inputs with a very large number of Unicode characters.
.
- CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
.
QuerySet.values() and values_list() methods on models with a JSONField
are subject to SQL injection in column aliases via a crafted JSON object
key as a passed *arg.
.
<https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
.
python-django (3:4.2.14-1) unstable; urgency=medium
.
* New upstream security release. (Closes: #1076069)
.
- CVE-2024-38875: Prevent a potential denial-of-service in
django.utils.html.urlize. This method (and urlizetrunc) were subject to a
potential DoS attack via specially-crafted inputs with a very large
number of brackets.
.
- CVE-2024-39329: Avoid a username enumeration vulnerability through timing
difference for users with unusable password. The authenticate method of
django.contrib.auth.backends.ModelBackend method allowed remote attackers
to enumerate users via a timing attack involving login requests for users
with unusable passwords.
.
- CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this method's
base class which override generate_filename without replicating the file
path validations existing in the parent class allowed for potential
directory-traversal via certain inputs when calling save(). Built-in
Storage sub-classes were not affected by this vulnerability.
.
- CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method
was subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
.
<https://www.djangoproject.com/weblog/2024/jul/09/security-releases/>
.
python-django (3:4.2.13-1) unstable; urgency=medium
.
* New upstream bugfix releases.
<https://docs.djangoproject.com/en/5.0/releases/4.2.12/>
<https://docs.djangoproject.com/en/5.0/releases/4.2.13/>
.
python-django (3:4.2.11-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
.
<https://docs.djangoproject.com/en/dev/releases/4.2.11/>
.
python-django (3:4.2.10-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
.
<https://docs.djangoproject.com/en/dev/releases/4.2.10/>
.
python-django (3:4.2.9-1) unstable; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/dev/releases/4.2.9/>
.
python-django (3:4.2.8-1) unstable; urgency=medium
.
* New upstream bugfix release.
<https://docs.djangoproject.com/en/5.0/releases/4.2.8/>
.
python-django (3:4.2.6-1) unstable; urgency=high
.
* New upstream security release.
.
- CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerability.
.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were
thus also vulnerable.
.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
.
<https://www.djangoproject.com/weblog/2023/oct/04/security-releases/>
.
python-django (3:4.2.5-2) unstable; urgency=medium
.
* Upload 4.2.x branch to unstable with a -2 suffix to prevent collision with
previous upload of 3:4.2.5-1 to experimental.
.
python-django (3:3.2.21-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri(). This method was subject to potential
denial of service attack via certain inputs with a very large number of
Unicode characters. (Closes: #1051226)
.
<https://www.djangoproject.com/weblog/2023/sep/04/security-releases/>
.
* Refresh patches.
.
python-django (3:3.2.20-1.1) unstable; urgency=high
.
[ Gianfranco Costamagna ]
* Non-maintainer upload.
.
[ Graham Inggs ]
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155, Closes: #1037920)
.
python-django (3:3.2.20-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain
name labels of emails and URLs. (Closes: #1040225)
Checksums-Sha1:
f6ea9986d6260f39a1c36dd23a0e368b30ede18d 2796 python-django_4.2.15-1~bpo12+1.dsc
82d4afdf4c3210cf399eaebe287d4012a49444ff 10418066 python-django_4.2.15.orig.tar.gz
92cb710894ef60eac54968f71596a4fb7495034d 32020 python-django_4.2.15-1~bpo12+1.debian.tar.xz
18717a25d0483c58ba3df1d243173abdffc03718 3014668 python-django-doc_4.2.15-1~bpo12+1_all.deb
162fd6780e848583fa0dcadb5a5d8d71469df596 8112 python-django_4.2.15-1~bpo12+1_amd64.buildinfo
3705609d74baccfa7ead57803e19f3628fe5ee1e 2736316 python3-django_4.2.15-1~bpo12+1_all.deb
Checksums-Sha256:
193860b7087c3cf7b3163aba05017ee7f546295a34558fd78e6cd2fc2985fe64 2796 python-django_4.2.15-1~bpo12+1.dsc
c77f926b81129493961e19c0e02188f8d07c112a1162df69bfab178ae447f94a 10418066 python-django_4.2.15.orig.tar.gz
a8171cf187ae4eaa8c23aba7eac1709c22cdd917835c3a85c4a4f949d7b91682 32020 python-django_4.2.15-1~bpo12+1.debian.tar.xz
d2f14bd38afe9201e9f3a995b443d2c8b5ff68600fb273211aa3e3bd5330b756 3014668 python-django-doc_4.2.15-1~bpo12+1_all.deb
e06ddbcbd974e5d52801ea9c788b24258fd78f1c17409137b30b51e7e7e4853d 8112 python-django_4.2.15-1~bpo12+1_amd64.buildinfo
c690a675b2d8f79453369154a672eefad004383efba9148d4f2845270f4e5ff9 2736316 python3-django_4.2.15-1~bpo12+1_all.deb
Files:
7ed2d94e314241989e8e9be14fef99ee 2796 python optional python-django_4.2.15-1~bpo12+1.dsc
a828465eb577e2b4c9a34b9839b33bef 10418066 python optional python-django_4.2.15.orig.tar.gz
3f2c4e6244493563dfb56badcfe7f3e1 32020 python optional python-django_4.2.15-1~bpo12+1.debian.tar.xz
7804e1d09c292a25be5aef2fec54d61b 3014668 doc optional python-django-doc_4.2.15-1~bpo12+1_all.deb
6b39ba3be0f69f6808aab042566db7d3 8112 python optional python-django_4.2.15-1~bpo12+1_amd64.buildinfo
2a318c83d0bd8963b5a15f270665df67 2736316 python optional python3-django_4.2.15-1~bpo12+1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmba7M8ACgkQHpU+J9Qx
Hlhj5g//dwqXD+nquSJkEI/tZVxxs5WCFwH1eBxxeYAfi06pYLnm+mQXdln2If97
+O7TSJ37alnCRQTaV+BJKGDzZDPGavv3c45pdWIrGmLos4lPbrwFu97mqYcR2PDu
4mxXGM+GTD0tpzl/XZi+g2hYg28Z+GsHB+iI3vDwDXrHf6q6xvZi72yFH23bY4o4
YATkvn5u7Ir8CP880vM+CXlxrbs0j8M2sjBbQ1e0Z811g9rHK8U8GjTM5noK1kTV
2Gb9mxSND9LioPhT8opNNqvUwT4VNJhigap8IFlI6/TDPo2KIFpKCX8EHXEBY5tq
7g3lV1MH3FnPLx15meoYQ+CHnmW6yJQGNSOlHQDN0wjR5UkAv+V0IPQ7LCg8CnvT
mz8z9CKZeqi9pz6uY1G76iDYd6hMQEaSGC+65155Kmd/ycRlfNwpeFt7zUlhbRIB
vPwIVdmihZ19XRg59BmdZjKi3pZ4F3p0mnJlAzj2LGv7QcWTh+2wD100BFKajZ17
DpiNMLlW0AnRjHlj8nwBGJc+X+aHv9dAl7UfAzB+pCr5dKr5aN9CFBVVYS7J2kUb
r6d5NOml/7G9PezhVE7ZAviLK4cMrgWnY+ktzms5XaM69RIyElNFwyzBmX9URDuh
J6teaEoNmgVKQJxeKsXyCgusWRfEqKZhslnbSrX/ZxcP6lHb7s4=
=pozj
-----END PGP SIGNATURE-----
Attachment:
pgpp7j9B9s0EI.pgp
Description: PGP signature