Accepted python-django 2:2.2.26-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Jan 2022 11:11:29 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.26-1~deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1003113 1003478
Changes:
python-django (2:2.2.26-1~deb11u1) bullseye; urgency=medium
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
.
* Fix a traceback around the handling of RequestSite/get_current_site() due
to a circular import by backporting commit 78163d1a from upstream. Thanks
to Raphaël Hertzog for the report. (Closes: #1003478)
Checksums-Sha1:
baca602a3707fb112803ee2dc6e1d15f0cfb3bc0 2811 python-django_2.2.26-1~deb11u1.dsc
4c917a122b8d79a765e4d6098a59f07144260983 9207984 python-django_2.2.26.orig.tar.gz
046056ae1333d5c2de2c14e57fcd814d2dc293e6 28276 python-django_2.2.26-1~deb11u1.debian.tar.xz
5db4278ee9d7af06ebe2bda85eb5db5fba564698 7825 python-django_2.2.26-1~deb11u1_amd64.buildinfo
Checksums-Sha256:
3ad5c9a9653cbd78d410a4da4727672f9a5e62fc8e3aa16cecc7e421a6da8df3 2811 python-django_2.2.26-1~deb11u1.dsc
a84c71495d12388ea3e7cb271ba0b6c020e51831477a65e7cd00fe1cce80d103 9207984 python-django_2.2.26.orig.tar.gz
05b73ac1ed05d597f480dd8660241419dd22e8abd89969dca5b08b190085369a 28276 python-django_2.2.26-1~deb11u1.debian.tar.xz
96c0b5fa30b4c1136159283e0a4d21577865509fe64c09e8990163c0531dfeae 7825 python-django_2.2.26-1~deb11u1_amd64.buildinfo
Files:
3bdeb77c79b05ca56d820526b047be29 2811 python optional python-django_2.2.26-1~deb11u1.dsc
bab60abc268ae5be2cd38ad1ae079d76 9207984 python optional python-django_2.2.26.orig.tar.gz
684ebf29ae23444b3065c7cb48a0bb9b 28276 python optional python-django_2.2.26-1~deb11u1.debian.tar.xz
463d571f36225897895b06ac0189220d 7825 python optional python-django_2.2.26-1~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHgCg4ACgkQHpU+J9Qx
HlhyZhAAkjaXFxoR/HhAywX1rk0VEhmT+PYtZOVg8+zXbyfPL/tMuAPa92P9T+6o
Y5/rwVh7mQ6vqFCv5vgQq71qbesaS0ECnKZKbXu+OXrZcegK5AIaTBf2s9pcrfQS
IIE33Tiut2GG/L33uLmeFSGxroja2WIpoWzbC6CqYQ+34EsJb0MOa/XSQBMJKlM6
OrXKaij9k33Lc6cyBFWLe0/6E1I8YwhJ5Y12IFO7BJ8nvUKDfXI6JWU4oTeGamfb
owg8mMx/s7N56X+jlBOw4lCtpMUzQ4TP2nVFbn0+5/U44lhBTEnTNH2gkIJZcmOC
ZjnTOyqvX3TGpSLZS/dpX3Tjk67MvPmNgnKyDRjNjobdUK5DKfF1A1tzHRR/IxWp
+rh+Zoery3XuTmAtVSlzQ/Hai6qKKDwonV13cJ0jgbQM2pLONkXQ6lIfuTepCd4r
hEj6XyTXQcZZx7f2zpKvA9awQWHAepEMF7AeOXBVoGUy3w3cwBkiPUlK9blqV4p4
7ghKCXwB6v5oRDozVm6dwbuqABh8V3DZyyv0USe7dmKXFonmWTbmX0lW3LEGtu47
mSkI023VD/n62Ot0tXL740t1W+U8x5Le8mmwnstZyOUNHCeCI9b5BVLwStTKAkt8
0dJ5Qd0RcHGQrtvY4M5WddV8tyK/XS6v4EADpCBw8+0jXg6HCE0=
=NvYF
-----END PGP SIGNATURE-----
Reply to: