-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 14 Feb 2020 10:00:33 +0000 Source: python-django Binary: python-django python-django-common python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 1:1.11.28-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 950581 Changes: python-django (1:1.11.28-1~deb10u1) buster-security; urgency=high . * New upstream security release. (Closes: #950581) <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/> . - CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) . Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. Checksums-Sha1: 68aff58b16ac698d772f1d208ff3b7e4d8ccebfd 3267 python-django_1.11.28-1~deb10u1.dsc 1537a67692f9f724d005631cc035d9a58648934a 7852525 python-django_1.11.28.orig.tar.gz 0aaf74684fec34304800795dfce4c38c4c2fa9e2 27456 python-django_1.11.28-1~deb10u1.debian.tar.xz 76770ff673fe837ec2bb661baf1190d8ef5685aa 1538384 python-django-common_1.11.28-1~deb10u1_all.deb 4d2baa4d8c66f3a35628c60344789c4d47894199 2645532 python-django-doc_1.11.28-1~deb10u1_all.deb bc275075c3758ed659057adae9f1bb83ddc3dffe 917656 python-django_1.11.28-1~deb10u1_all.deb c9307b5a4d69d3f31c860c2cea6a11a0a8b36860 8678 python-django_1.11.28-1~deb10u1_amd64.buildinfo 8d9554ac05abc114dcd6a60b6f667ed0ee42d609 917484 python3-django_1.11.28-1~deb10u1_all.deb Checksums-Sha256: df53495eff61862bd3dba2a95b6c7eb169cdc413acb525b531d53c3739d816c3 3267 python-django_1.11.28-1~deb10u1.dsc b33ce35f47f745fea6b5aa3cf3f4241069803a3712d423ac748bd673a39741eb 7852525 python-django_1.11.28.orig.tar.gz 7f6ca2dceae94f9393b8bae039a4a4979a8d23b26aff818d528d116287ddc9fb 27456 python-django_1.11.28-1~deb10u1.debian.tar.xz 2ca93d4d6a12ae6953a5c41856a571b36e3152fdff07a6f45c1168b7cfc8be9e 1538384 python-django-common_1.11.28-1~deb10u1_all.deb 48c91a5ccc05f6621a90cf5b66c35c3886b6e93107d19fe4b2f79a4fd3ab22db 2645532 python-django-doc_1.11.28-1~deb10u1_all.deb 65b9375cff1c68e2216d780d23d4fdc12601175606a8360caafc2ffface1adc2 917656 python-django_1.11.28-1~deb10u1_all.deb 5f359d846ff740e9d0578782eff958894ef078c709a20391d7f11a457417ee45 8678 python-django_1.11.28-1~deb10u1_amd64.buildinfo 702b9447162c29715b6e014a939adda36dfec3f373d860e0cacbd9f5483f8be8 917484 python3-django_1.11.28-1~deb10u1_all.deb Files: 4bab6ea2e61b6b067bb829c1368bc8f7 3267 python optional python-django_1.11.28-1~deb10u1.dsc 8a21a5148aece7f6110d6ff3a9f57652 7852525 python optional python-django_1.11.28.orig.tar.gz a7c38bbc02b1eaf89d10a8bb852e51fa 27456 python optional python-django_1.11.28-1~deb10u1.debian.tar.xz df07c5aef8148a3a88f5e6ad6e61a5ad 1538384 python optional python-django-common_1.11.28-1~deb10u1_all.deb ec5d842323a6ae29dda74e34b4b80df2 2645532 doc optional python-django-doc_1.11.28-1~deb10u1_all.deb 9994ae8ef25687386a5fcc9e85daaf32 917656 python optional python-django_1.11.28-1~deb10u1_all.deb c1dd520478b5ac657c62e285c52b84f0 8678 python optional python-django_1.11.28-1~deb10u1_amd64.buildinfo 56d81f601c692c2d10c179a8e46e159b 917484 python optional python3-django_1.11.28-1~deb10u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5HufcACgkQHpU+J9Qx HlhPSg/+MKd8OxXFA7vQ6dzMUOD3dItGDZKx88gJANS/jlQQ2gnkWZ57j/7LbR46 bY1DWQU1AabDxMQLnlDWY0t0dQlwyxb7xm9HrSDBdHDtxEKOq0horC7yljLUNjuv sAR4Xx7N1rU+tDsE7/L3GWAZTC7P5jKrx3rqavCh4Xl/KmGPqxSjNJrurixfAnjo HdtbxiwAvuCpiFNFFusdB4sk7TBkahegin6VOZgWaNGfpoZsIsMBhAMeyCkVE1vc t1K35ZNX5ijAr5tnPkLkhIMcJUpny1IbANAOWDeKxo4+dqeX4voVGU56BNOs3a9l jwKjYe81OaiQKh5paq7eX95EgwPlZB7OmCO/biYwqtsv5D1xQqJr/sjBeIzHlxwD RUp26ENyEnPH+wSV91vpV7E529bQiPC4jHH2yNiv/j0A8bOXZ1FZgXavdizG731f uw2jehTlmxDm7ZLvuaNReEu+gAVJki055Q0Vcfm39KTxi6SCIgbuxIlblI7RKWtm y1opGV9orSrN/LwUeR6vuiQYd+GzBJLPYoO5tyoX57M2PMq01B79VOVtqRlZYl1/ xKA6HFLp5G/ewtd+7pTGe/osKpn+Fkd0Y9YKOfIOfv3ODvx/q8YfSCds2QirdJDk /d6Rm+dUXuuOuvm0ge3FyfInWfA+XDogmR0WrIZtAmev+rzNjhA= =t4TZ -----END PGP SIGNATURE-----