-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Jul 2024 09:50:49 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.14-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1076069
Changes:
python-django (3:4.2.14-1) unstable; urgency=medium
.
* New upstream security release. (Closes: #1076069)
.
- CVE-2024-38875: Prevent a potential denial-of-service in
django.utils.html.urlize. This method (and urlizetrunc) were subject to a
potential DoS attack via specially-crafted inputs with a very large
number of brackets.
.
- CVE-2024-39329: Avoid a username enumeration vulnerability through timing
difference for users with unusable password. The authenticate method of
django.contrib.auth.backends.ModelBackend method allowed remote attackers
to enumerate users via a timing attack involving login requests for users
with unusable passwords.
.
- CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this method's
base class which override generate_filename without replicating the file
path validations existing in the parent class allowed for potential
directory-traversal via certain inputs when calling save(). Built-in
Storage sub-classes were not affected by this vulnerability.
.
- CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method
was subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
.
<https://www.djangoproject.com/weblog/2024/jul/09/security-releases/>
Checksums-Sha1:
54849f70429154923684eb1a0bccc177054ed13b 2764 python-django_4.2.14-1.dsc
62b423064e3b75f038bd19729f3252135d399a8e 10432993 python-django_4.2.14.orig.tar.gz
94bba81e15567b37f8444f29297adbe869a8b2c7 31684 python-django_4.2.14-1.debian.tar.xz
9c05576ad5e36418dd1a0f6a2364b58c3a6b6f04 7609 python-django_4.2.14-1_amd64.buildinfo
Checksums-Sha256:
b04170e1839c204ab68a81bca6502818c02c834b4dd5cb190f4a02afbfe0f7c5 2764 python-django_4.2.14-1.dsc
fc6919875a6226c7ffcae1a7d51e0f2ceaf6f160393180818f6c95f51b1e7b96 10432993 python-django_4.2.14.orig.tar.gz
961890b3c800e2bb7a91a458f0431d0fc2d3108adaf9f5783c62d2528c050b1e 31684 python-django_4.2.14-1.debian.tar.xz
26470407949819179ff78a1929d43095e3efe3476bc77ae9f7d9ea0a6d4f2eb4 7609 python-django_4.2.14-1_amd64.buildinfo
Files:
dfacce4ca122e73ced58e790fd98b488 2764 python optional python-django_4.2.14-1.dsc
34e53943311a2603dd54c46f284136db 10432993 python optional python-django_4.2.14.orig.tar.gz
9c21425a07fe15298b9044242bc3e81f 31684 python optional python-django_4.2.14-1.debian.tar.xz
ce86d58018c7d9fd838bdf16e6634978 7609 python optional python-django_4.2.14-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmaOTa0ACgkQHpU+J9Qx
HljZ3A//fg0BCuHk3ZvxWM53wx/zfpba6CtQg1nKn80xzdeoMr0glAKF7+6yyQaK
WrHsP7S2PL0dfW8JIo0ABHG11GEdubmAKMi95Ne8vQdxPnwBF0AMqZifkE0uB3ub
oxl5TzcEoPa7m7JQEUb7pphzf0fLw1Hn850abhjqxbHG9ClQ9EdRSCSD5A/M8IEn
0rJvlVt5eA6+KvM4WrJePhpt3bRBA+iA5IqHe1GcI6hsgYniz4mMhIQO8iEaT1vh
FIRG6hmQ6G3/Ie97QsSesE/Q3S1exbZv31fdsUf0DZemNlZvDg5YCOfqV1U29ReK
TWCNAxI/2FDDxpZOMx0mEAkjS1Lxgbd7ryN40y0JcuuzcBxWV0W5k46BHHlduOZ5
23rcosa/8/WUMGp8shQm3QDQVi1UfHe9ZtnBHLa3esS93pxzCQnJFhZCfVcJb5+O
EYdBdsWj6naFGqX6OZ+iwDFhYn72DcPw2XSxTT87MgJHihYh+e91M3e9R2ntS5KH
x9pSN7detF6OIi4iQb7QnhJ7hsIA8ZorI32kirARkujVCYuVMsMN0UvFfr6iSoJW
oEKDaVximjWt3Grn314QHGxxDrhBLPQF0HCl4uq3zBsDjateMDPH4Qc4eaUIwzRb
osmCXbKVF5q6oPr6BO3rorfl2GvcYabAvjyD9ZvmnZDypTwGXNA=
=tkVV
-----END PGP SIGNATURE-----
Attachment:
pgpssLJMpBVd6.pgp
Description: PGP signature