-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Feb 2025 09:39:21 +0000
Source: python-django
Architecture: source
Version: 3:4.2.18-1~bpo12+1
Distribution: bookworm-backports
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1078074 1082209 1093049
Changes:
python-django (3:4.2.18-1~bpo12+1) bookworm-backports; urgency=medium
.
* Rebuild for bookworm-backports.
.
python-django (3:4.2.18-1) unstable; urgency=high
.
* New upstream security release. (Closes: #1093049)
.
- CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation.
.
A lack of upper bound limit enforcement in strings passed when performing
IPv6 validation could have led to a potential denial-of-service (DoS)
attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
.
<https://www.djangoproject.com/weblog/2025/jan/14/security-releases/>
.
python-django (3:4.2.17-2) unstable; urgency=medium
.
* Team upload.
* Fix CommandTypes.test_help_default_options_with_custom_arguments test on
Python 3.13+ (closes: #1082209).
.
python-django (3:4.2.17-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
.
- CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle
was subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax
are unaffected.
.
<https://www.djangoproject.com/weblog/2024/dec/04/security-releases/>
.
* Refresh patches.
.
python-django (3:4.2.16-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
.
- CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes. To mitigate this risk, exceptions occurring
during password reset email sending are now handled and logged using the
django.contrib.auth logger.
.
* Bump Standards-Version to 4.7.0.
.
python-django (3:4.2.15-1) unstable; urgency=high
.
* New upstream security release. (Closes: #1078074)
.
- CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
.
The floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
.
- CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
.
The urlize() and urlizetrunc() template filters are subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
.
- CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
.
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
widget, are subject to a potential denial-of-service attack via certain
inputs with a very large number of Unicode characters.
.
- CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
.
QuerySet.values() and values_list() methods on models with a JSONField
are subject to SQL injection in column aliases via a crafted JSON object
key as a passed *arg.
.
<https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
Checksums-Sha1:
8a7ec2ce56ad136b637f5b4a46b0f67bdcee403f 2925 python-django_4.2.18-1~bpo12+1.dsc
68c5ee4216bc1a662aa442bbacc2d6ee9caf997d 33428 python-django_4.2.18-1~bpo12+1.debian.tar.xz
Checksums-Sha256:
b3c36fb6c34f72437a9d9e060ac254ea2453e793ced1034537a0343571c53ebe 2925 python-django_4.2.18-1~bpo12+1.dsc
b8f3b6fa9973ad6bab3a919260232ba94aaaa759edd12f0cbacea878027d9d47 33428 python-django_4.2.18-1~bpo12+1.debian.tar.xz
Files:
cc29860c471ae6079b7621adb0ecd15e 2925 python optional python-django_4.2.18-1~bpo12+1.dsc
98792f7126d89bce3fffcaa95a73b924 33428 python optional python-django_4.2.18-1~bpo12+1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmejNJgACgkQOTWH2X2G
UAvagA/+M8pUBsrvSRpHYvGyjB784dfZgEvO1Yb1qD+5uvDZHD89wbl4CX2iMbge
NFgZPNQNq2eQ66JYUBg+4b7y6NByberaftvLDSmaxRZYU8m7mQlvCQYPc4zdr013
xHu0WkIJEVxpdHTWrVi+tpQkTQ7+sKKPmzlruiH65clNdomaVI9h9mqtlgPiK+MU
Mc34bxqMhRtpZUAyiBm+1+1cbVfsI/pS9+IHvFyWBWsFarSj+PLx3umJPOvF/Lvw
8FA/CIkbItm/P7kxdS8IkSY6ONC02U+IkUdMHayKVWjG219t5bRaivTp3nTe9gvI
2wwEpEb9Tb74xzthxL8KJMg9oChjwg9/w0/HcIH8KU5eFPXXN2ZNiTpeFMCiZEH8
tERgxoz2ML8PTTPnq+MnsjRyr11P2KjhDhHLnmawlwvD5nQhSGSViOHiEtFW67dI
RvzbGpq2cVbumJgkJrnm1RB9vn+7ajjcrKO9KjUNkhuwDwAuheNMWLZ1zwBztMwd
5rjvFWxj3ac9g0zhzRAJqFR+wplwFNCmcAV6HXajhQv4FuICT3TdI+2u22Y07t8c
3lmmnzAumP1bgcjEHLkFpqKUgb+0Qkk0ymYYWHYSBByWtQTPUa/MfSStJ1BsE9Zb
eKezFKPUZlVpfVtqsfXgVkYOmC4tQT4wBaxQsxw07fs7Rqc4vuE=
=iFTy
-----END PGP SIGNATURE-----
Attachment:
pgp8UwQEWpnoa.pgp
Description: PGP signature