[SECURITY] [DLA 4010-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4010-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Sat, 11 Jan 2025 12:59:13 +0000
Message-id: <[🔎] 173653466153.260034.6690886841296548780@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4010-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
January 10, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 2:2.2.28-1~deb11u4
CVE ID         : CVE-2024-6923

The fix for CVE-2024-6923 in the python3.9 source package which was
released as part of a suite of updates in DLA 3980-1 [0] introduced
safer processing of input in the email module to order to increase
the security around email header injection attacks.

This change inadvertedly broke sending emails when using lazy
translation strings in the python-django package, however, resulting
in the package no longer building from source.

As the previous behaviour of Python's "email" module can be enabled
by passing the strict=False flag, the python-django package now does
so — Django detects and/or encodes newlines in its handling of
outbound emails elsewhere.

For Debian 11 bullseye, this change has been made in version
2:2.2.28-1~deb11u4.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

  [0] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmeBaoEACgkQHpU+J9Qx
Hlhc4g/9FZUWiK/et2mdTOdmXb2JIV2FSVTjiGpvU19ves+P9dhQhdv54VqyZPfn
k26liYK4q5lK5GkMjo8mjEwc+BjEy5RI+OI1DLOlMBb4f0XmMQrmBYuwIjH9Sin6
DFCLb3CK33vAK9t17ax29Tjjv6UUZfPG/fUqhCTkdJMCkWKNkNjRAPvTpgih1zrM
bKG1HO41YWW6eo/m7nfjYde6B0JzcUp14iC6J4ZbjW85fYXFI7cRphbU1cHTijhh
7EHLeFMK7gx2bdXapZHZQOw7W6OlhGybdDpo4vJkmAdTFGjQDLtn+ajEUR7EUIt+
L+8DX2zbSSZJ7ApPtuYQ1VynFUP5wVEHBVX6Q9/90oUT+ze6MO7XUcV8k+pCq7jr
QUnSGIn+Ai91WtxXbh5Y4k5BRO40dJH7oPzaJBJPfRh8rOsF8xeU+qtWDSDUlLWv
ga0wDJCLjfk2Rk3me+ZSoqlBZLVUbl0L5WW+j8kYi5o6YfgTM7QowK+GYU0m/9gd
VD0797KEg8NtcpBz9o73Hmf7oSRunF1Bm+9t1mF6F/wmMmOXeYQ7A0wdyo7m+WOq
T+gGcT0RxQLEeGa8nSOc3J4mmYGcrMSlPMrKHHV5y/fqxodQzXnuDPGyE2PFIP5k
QvIWnPoG7O+JV/kWa8Sk79Zg+FS8GIuMbX/LjFSTkbuLYkn+epM=
=4BF9
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4012-1] thunderbird security update
Next by Date: [SECURITY] [DLA 4013-1] node-mocha security update
Previous by thread: [SECURITY] [DLA 4012-1] thunderbird security update
Next by thread: [SECURITY] [DLA 4013-1] node-mocha security update
Index(es):
- Date
- Thread