Accepted python-django 2:4.0.1-1 (source) into experimental
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Jan 2022 12:03:13 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:4.0.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1003113
Changes:
python-django (2:4.0.1-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
Checksums-Sha1:
334bd0b96016d136e5bc06320821020a4f815256 2779 python-django_4.0.1-1.dsc
ab735671359bdcbf65caaf3bdb961496567ce28f 9995484 python-django_4.0.1.orig.tar.gz
5767ddee131607a56ea08a89fa869c43d6effc12 27684 python-django_4.0.1-1.debian.tar.xz
93e3e17c02a32b94ba62a76ee50a9d5db0cdede0 7805 python-django_4.0.1-1_amd64.buildinfo
Checksums-Sha256:
1358b6fd15630370c9ae35cee1bf79d68139f1256e5b85f18231cd42a51219d4 2779 python-django_4.0.1-1.dsc
2485eea3cc4c3bae13080dee866ebf90ba9f98d1afe8fda89bfb0eb2e218ef86 9995484 python-django_4.0.1.orig.tar.gz
26b583bff2255b3f21d91ab6cff92f95e14a3d148e62ca2243e8590236d45e26 27684 python-django_4.0.1-1.debian.tar.xz
b883033dcda5cf69aa967e4bfa5cddb8ff00a3761cc6e50bfd3d826ecadd5a7b 7805 python-django_4.0.1-1_amd64.buildinfo
Files:
a710a9b6dae09b45f4ff9a5f961cc459 2779 python optional python-django_4.0.1-1.dsc
6d0fba754d678f69b573dd9fbf5e6fa6 9995484 python optional python-django_4.0.1.orig.tar.gz
93b3143810f1b5e994e863736f258220 27684 python optional python-django_4.0.1-1.debian.tar.xz
1c9551d076b824ca0963a03e8dadd6f7 7805 python optional python-django_4.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUPf8ACgkQHpU+J9Qx
HlhcLBAAnVMrwDWYLjx46NYwI54kRJ+CxHKYH8ZMw0mxog/S0VI16T3mSS11az/M
qKf2B4K0AxRklhiaQIGT/qz+jSe+fB90uWtZ1Kcw/iekOcA/SwVHdIsYoe3qNXrc
GMJlbO5y4/zcO7kuHAUQyypI//MSXhPQZ10nxcac4x5xzJ/k5NxZVms2mS+D9moW
nXyOIjkWeKc4CrxjFFkEqv0A5HduWhAOCSErEF6Wx2CRYfbUfOyle1euAFHsZowh
XMXE23rwbasLFKeBATeTsOChMVV9yKOkSLQX7+4q/blTWucDLwjoObcnjNhngAi5
RRiIP9oadjgO2fggdgz/s0TI5yFQRMpCmuxCSqOZg6vrRvZrAOofgr0yRU3hqd0x
ux/JQMRMU7dnoY8V79nvEnTknq5aYAwUhPcy2v8vcJQ3v7eJoZscVwC40O2bqcFg
yq7DzlCAHfNcugEGXqA4ZJ6F6qU7nR/PNQCddMkQWy90vSORp1p12rzFTms8QcrS
bA7d2W/Eygs0PucT/wNthQmhYjmPknOv5e66RUyV5CMjAZubDR+VHdFncEtGWhtz
0CANPxjPV7UqST8mLLVrniHXRUtzKnDoJhJuhkHpLFlD5L1/aUWVHLXdXR1yI6of
3WgJOKt9b68ihsuwWIsQ33TUmPq+l8S6G7Q3JuVL5a2xIp3qw3o=
=owU4
-----END PGP SIGNATURE-----
Reply to: