Debian Package Tracker

From: Chris Lamb <lamby@debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted python-django 1:1.11.23-1~deb10u1 (source all) into proposed-updates->stable-new, proposed-updates
Date: Mon, 12 Aug 2019 19:17:26 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Aug 2019 16:00:04 +0100
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Architecture: source all
Version: 1:1.11.23-1~deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Changes:
 python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high
 .
   * New upstream security release.
     <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
 .
     - CVE-2019-14232: Denial-of-service possibility in
       django.utils.text.Truncator
 .
       If django.utils.text.Truncator's chars() and words() methods were passed
       the html=True argument, they were extremely slow to evaluate certain
       inputs due to a catastrophic backtracking vulnerability in a regular
       expression. The chars() and words() methods are used to implement the
       truncatechars_html and truncatewords_html template filters, which were
       thus vulnerable.
 .
       The regular expressions used by Truncator have been simplified in order
       to avoid potential backtracking issues. As a consequence, trailing
       punctuation may now at times be included in the truncated output.
 .
     - CVE-2019-14233: Denial-of-service possibility in strip_tags()
 .
       Due to the behavior of the underlying HTMLParser,
       django.utils.html.strip_tags() would be extremely slow to evaluate
       certain inputs containing large sequences of nested incomplete HTML
       entities. The strip_tags() method is used to implement the corresponding
       striptags template filter, which was thus also vulnerable.
 .
       strip_tags() now avoids recursive calls to HTMLParser when progress
       removing tags, but necessarily incomplete HTML entities, stops being
       made.
 .
       Remember that absolutely NO guarantee is provided about the results of
       strip_tags() being HTML safe. So NEVER mark safe the result of a
       strip_tags() call without escaping it first, for example with
       django.utils.html.escape().
 .
     - CVE-2019-14234: SQL injection possibility in key and index lookups for
       JSONField/HStoreField
 .
       Key and index lookups for django.contrib.postgres.fields.JSONField and
       key lookups for django.contrib.postgres.fields.HStoreField were subject
       to SQL injection, using a suitably crafted dictionary, with dictionary
       expansion, as the **kwargs passed to QuerySet.filter().
 .
     - CVE-2019-14235: Potential memory exhaustion in
       django.utils.encoding.uri_to_iri()
 .
       If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
       significant memory usage due to excessive recursion when
       re-percent-encoding invalid UTF-8 octet sequences.
 .
       uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
       octet sequences.
Checksums-Sha1:
 b2168921e1d438f375007ec8295a8f51c6d3c014 3267 python-django_1.11.23-1~deb10u1.dsc
 6127e40ed8daf85479c984d2d3757cdeed208c8f 7849738 python-django_1.11.23.orig.tar.gz
 8b809fd3e0b4e542d0eb297be5beb9667049bb7f 26972 python-django_1.11.23-1~deb10u1.debian.tar.xz
 47e625712957cfd14d0434bbe5bbe65c68e9c6e7 1537588 python-django-common_1.11.23-1~deb10u1_all.deb
 efc2fa751dc51dc952a04482ea6ff89389ad8281 2687628 python-django-doc_1.11.23-1~deb10u1_all.deb
 c87bb5f84922eeee46eb97887a6d7ff15fd7e7fe 916944 python-django_1.11.23-1~deb10u1_all.deb
 4721bd013c22de5304a2761a67531f533960df89 13912 python-django_1.11.23-1~deb10u1_amd64.buildinfo
 3c2e3d568a5d00eceeae65058e6045d7fb2f2aca 916856 python3-django_1.11.23-1~deb10u1_all.deb
Checksums-Sha256:
 8bf9724184741b2f8eb100de78c818f23fb3be97e61e8b32108aff1aa7a6c337 3267 python-django_1.11.23-1~deb10u1.dsc
 52a66d7f8b036d02da0a4472359e8be1727424fc1e4b4f5c684ef97de7b569e1 7849738 python-django_1.11.23.orig.tar.gz
 fcc6bde825eb22e73284ce2a9d68ee9c508c80a7c587f36aae268da5d4e4c0fb 26972 python-django_1.11.23-1~deb10u1.debian.tar.xz
 53209600bedff821fe17add2fd05841af260ceb8550d7cbf4eebb8a9b671b8a9 1537588 python-django-common_1.11.23-1~deb10u1_all.deb
 cf84ccba88283edfe1c676d9b34d6fa23b9d2f6df2dff93a73ab44bec05737bc 2687628 python-django-doc_1.11.23-1~deb10u1_all.deb
 521fe4b6982207200905540c34c4af5508ea1aedad663f22e207f7d8d4c39782 916944 python-django_1.11.23-1~deb10u1_all.deb
 41d6600889388b47bcd9e7920307faf5d9805e9e05205912d5e2a579d250586f 13912 python-django_1.11.23-1~deb10u1_amd64.buildinfo
 c3bc137f081ee1564d4afda526bb29ad154227fd33ef102de21fa83be69c5de0 916856 python3-django_1.11.23-1~deb10u1_all.deb
Files:
 bd8fc6eeb4f016dc327089c6598ad644 3267 python optional python-django_1.11.23-1~deb10u1.dsc
 ded95be58e57d0fa65b03e36b1566265 7849738 python optional python-django_1.11.23.orig.tar.gz
 11f554474eedf2c55131df1a0a653b25 26972 python optional python-django_1.11.23-1~deb10u1.debian.tar.xz
 6bd8a2824900cb2821eac2077e8bb540 1537588 python optional python-django-common_1.11.23-1~deb10u1_all.deb
 6f5677ce841abdff61c25e52d1e073e1 2687628 doc optional python-django-doc_1.11.23-1~deb10u1_all.deb
 79abd01a392ca97e66de018132f87f94 916944 python optional python-django_1.11.23-1~deb10u1_all.deb
 ac7eb6da649c06efb4003685ca5b3c22 13912 python optional python-django_1.11.23-1~deb10u1_amd64.buildinfo
 38cd4f4d15558b168e7ed781e4661a7b 916856 python optional python3-django_1.11.23-1~deb10u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1OqqEACgkQHpU+J9Qx
Hlg2LA//YGzEJOxwR8dAxllBExNb0fw4goDabKAqGK5XDcF1iqagsR2ULiP51B3N
z8D5FdTn9IkavaT/DN+Ty+ZsCstuUrKME7xtERFigHatYs2BR707KpszzvVx2nBr
Rp+1okvPuWtEfCMfk0SGliLNbHOe82ANNMyiMiuPnfcfhJ7nxSVO8IXmnSRa/rMc
8ifS4ulnk3RnYY2sFbj2YJpxyfWuI5ZSyodzjCo0Y+XeLmr7ofF9EYKNjgGIu7wz
n9rP1BAkjUMVDYMRT9ol/h/hon1OSovOvaZcaE7KZ+UmftxfrbnRB0AoObwkKTMr
fds/cgcql/Hm+zlWSH0GJRWpJEENEDDiNYnliLSWxxPkli8dipjW2ggwV0RrTqqF
JgSSFI/XCxwQVH/oVCHeU+8PY1LwsIcGrYTzFNT3cqfcfCbP6J0oq6iq1AhVdP9A
mD9UAZOqJ9QF5VWbMtvUBdzECaqZ+TqHfCt04wput4WsuxBw1B2I+sTJsmlx38Hr
5VHLdqGg2ZoUrs5BR2U5CtilDLWSnPvaqzpisnzELwjwBbb//tJ0a9J47iOCdTns
g0Pg7Sf2Z8o5khvTXMslH9UCACoDE4SwxwJ+n3KO8xSJ5VhAw0Ixxk7DXHld60yp
qBns6axuffr4nVIv/NjlD8KUOVl8nYZ/fdndgqiPPcgs9nsHUHE=
=cCh8
-----END PGP SIGNATURE-----
News for package python-django
