-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 08 Jun 2021 08:13:10 +0100 Source: python-django Binary: python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 2:2.2.24-1~bpo10+1 Distribution: buster-backports Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Closes: 989394 Changes: python-django (2:2.2.24-1~bpo10+1) buster-backports; urgency=medium . * Rebuild for buster-backports. . python-django (2:2.2.24-1) unstable; urgency=medium . * New upstream security release. (Closes: #989394) . - CVE-2021-33203: Potential directory traversal via admindocs . Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. . As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. . This issue has low severity, according to the Django security policy. . Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. . - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses . URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. . validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. . This issue has medium severity, according to the Django security policy. . python-django (2:2.2.23-1) unstable; urgency=medium . * New upstream release. <https://docs.djangoproject.com/en/3.2/releases/2.2.23/> Checksums-Sha1: 085116a62ed30048adae98d15195ba39eac146f9 2847 python-django_2.2.24-1~bpo10+1.dsc 5f6dc81c98530d745ffd6ee3712605d0f7312bb4 9211396 python-django_2.2.24.orig.tar.gz d46e96a9cc047379bf94cf53cf55f935abd8e3e4 27840 python-django_2.2.24-1~bpo10+1.debian.tar.xz 5812078aa4dd1f10f3f632e32f5cd55f1f4dd4a6 3111204 python-django-doc_2.2.24-1~bpo10+1_all.deb 015a6bcfedd93b1d1dd8b7f99cc330e6e5e14422 7738 python-django_2.2.24-1~bpo10+1_amd64.buildinfo feef7ed1dc1e7e5f2d8c33d28f59876777089a08 2681668 python3-django_2.2.24-1~bpo10+1_all.deb Checksums-Sha256: c20478f85c3e1d93fd0a2d1d2c448bdf47091c9211a6bc56333cb5f89a79536f 2847 python-django_2.2.24-1~bpo10+1.dsc 3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7 9211396 python-django_2.2.24.orig.tar.gz 31281e80606216825a9b01a7a3aeb0024ccc1a3cef2cf1165a482726d684ce0e 27840 python-django_2.2.24-1~bpo10+1.debian.tar.xz e4d027204dc7a9c9d21980305d27836a7ddbae04d4b8160fc6a09b1dd536ffb9 3111204 python-django-doc_2.2.24-1~bpo10+1_all.deb f064f4a0b8a213dfe17c35192f4f41ff7b10681e23048f2599fe342d566c4fa6 7738 python-django_2.2.24-1~bpo10+1_amd64.buildinfo bc5cf1763e608e4ac836496de86fb5562be6c6740622ed9f2d2a7af6a0d3549f 2681668 python3-django_2.2.24-1~bpo10+1_all.deb Files: e5ea58d08056b0449e172ede2d3706c6 2847 python optional python-django_2.2.24-1~bpo10+1.dsc ebf3bbb7716a7b11029e860475b9a122 9211396 python optional python-django_2.2.24.orig.tar.gz f88776d87f0389160384c6c4f0cd6b22 27840 python optional python-django_2.2.24-1~bpo10+1.debian.tar.xz 2f5778423a0edcbdedb618e5b5ddd451 3111204 doc optional python-django-doc_2.2.24-1~bpo10+1_all.deb fc18df5cf4fbcd2875ec733b00fe0738 7738 python optional python-django_2.2.24-1~bpo10+1_amd64.buildinfo 1f746d75621a6740df259e22fe9de5f9 2681668 python optional python3-django_2.2.24-1~bpo10+1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC/GVcACgkQHpU+J9Qx HlhPKg//QtPIixYKw5qR/5tbuLirXeHxIN4gdojw0Lu0lE5oLpe0bsgAOSiqDeW3 mkEi+9ZhoGGwAK3+Iriee0uObnwNk6okYox4bL3rsRQ6f2KcP/AMq9INXMKvHlgY cxq6OAMzQbxrSMXPiq2bMlBxM4a3F2jCX1mrkeSdK1Y7KyIhY2t6D/47OKGIt0BK ro+cwnk/LyJHUPBboRcSEqtQYa52YTidmjstMFyBHNaO3SH4pMCcPUuwZLl+cxoC 4dvaGiyD4AHUVYlOw270Jw9Y0wUb2SU59MfmLAV7gyy/L5IrWJilnmT/qQ42Dpv3 /Gv8OBf1htWkHQjwD6FtcrwxG1chV67IkF0SsesDsFCNAePdJ/UgfQOTc5/QM0pW 2dd9KHW/VGYMPUAU/nG6CS7nSuKr7utafvGTMbVC7BjZOkDzDwdvGhoBrsS1jOFz jbCLZ/tt7KsitNN/sbq895nFyL2Su8OttuDDa3xCANcqyqBUx258w26jddfF0Go5 +ceOyaQ3dPRT3Z8222RbwCu/trddesiskuquVKj5KAf5J87kIrZ1a/EQd69sD3PQ O0Y/LKu3EUpOYM+5Yk1gU+73Sxa6f2P3kJ6zVi5jbYCW8lXk1HS6JhQC6lHfG0HX zeGQmJxSBSmGvG7lc3Yqenm1ReZ8vIpUpiTqS+287zv4OtlyGVg= =pOI8 -----END PGP SIGNATURE-----