Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please consider unblocking python-django 2:2.2.24-1. It actually constitutes two versions, the first addressing security releases which should be uncontroversial and the second (2:2.2.23-1) fixes a regression from the previous version. Quoting from the debdiff (which can be found attached): * Fixed a regression in Django 2.2.21 where saving ``FileField`` would raise a ``SuspiciousFileOperation`` even when a custom :attr:`~django.db.models.FileField.upload_to` returns a valid file path (:ticket:`32718`). This unblock would also incorporate a minor upstream change to the documentation that points to Libera.chat over Freenode for the project's IRC channel. python-django (2:2.2.24-1) unstable; urgency=medium * New upstream security release. (Closes: #989394) - CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. This issue has low severity, according to the Django security policy. Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. This issue has medium severity, according to the Django security policy. -- Chris Lamb <lamby@debian.org> Wed, 02 Jun 2021 16:15:13 +0100 python-django (2:2.2.23-1) unstable; urgency=medium * New upstream release. <https://docs.djangoproject.com/en/3.2/releases/2.2.23/> -- Chris Lamb <lamby@debian.org> Thu, 13 May 2021 10:41:04 +0100 As mentioned above, the full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `-
Attachment:
debdiff
Description: Binary data