-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 01 Jul 2021 10:56:07 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.5-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: python-django (2:3.2.5-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input. . Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation, the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in Django version 3.1 as a side effect of fixing another bug (#31426). . For more information, please see: <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/> Checksums-Sha1: d9b2c104d88f00cfd0604542debc014830c3647c 2779 python-django_3.2.5-1.dsc 5a1e09930da6c0b1191eb82d466b8549edcb0c4c 9806547 python-django_3.2.5.orig.tar.gz 5e55259bef69f2ae6296d19170ef4b79bff83a26 27236 python-django_3.2.5-1.debian.tar.xz 57a7cf203d5a59443781eddc1a02439b0db3ed14 7560 python-django_3.2.5-1_amd64.buildinfo Checksums-Sha256: 2819187bb2625cc5d0d823b6fdf3f2cfc7350899f558658cb90051a728cca8ba 2779 python-django_3.2.5-1.dsc 3da05fea54fdec2315b54a563d5b59f3b4e2b1e69c3a5841dda35019c01855cd 9806547 python-django_3.2.5.orig.tar.gz 04db0989ce0469171ea6b75cd1e73200a93b75c83686fa5d1481887227472222 27236 python-django_3.2.5-1.debian.tar.xz 7d5fcbab86411fd8da91ada5a86e0860c35358c285c7868db7fa20a0fddf8de1 7560 python-django_3.2.5-1_amd64.buildinfo Files: 5ee540afb803d4dc113d3dfdb044be38 2779 python optional python-django_3.2.5-1.dsc 46e306a5a775cace03a03d5a158ff767 9806547 python optional python-django_3.2.5.orig.tar.gz 62d54395bfe37b0b7792e22d41771e35 27236 python optional python-django_3.2.5-1.debian.tar.xz 0e02e52db57b067dc38b736a319315c1 7560 python optional python-django_3.2.5-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmDdknoACgkQHpU+J9Qx HljkQA//SeEJ8eNNnCrL5m0/L0UmCd9SvtrC+dHHW8QhpWmOOzyitR8ekQGOTfPs 5HMNC9Jcr/I2eMb82zIq6yGrNAw/3agSLrjTFdupLq5yh8yAC1pMt3jG186MUcun EPNaSUwGYbkXG3S+bmAsWACapgb2dnX6rxyhkJxtakBYZZQhSaLioX+jcZnUWTwN prvmMZQuqiqnGLqx4j0D91q8mufb5ctehojD32Fw/qIVuMyiDwxOM9DKUiFNpJC+ 67V3BzVOOo6mRcBSrG6EXe5YhQwCJJofr3CS/8o/SrUB125jtVy1zamFPajEmZDI +BuOiot0h4mU7uIBnV7mjABRM/2u4tU9ZXf6WejDazKMJyJPpdfMHdBu1fFRcCCR V73ItCDvzZQV2azG62zCp0fKDlsLdex+9Y8lW3DdqykRDGQ/FM7NAs9CWgNiAQVW 4h9Ddxr6GInUqwez0e2PtnBnt5XRTm6gGIsVsAwVFYHFNZ/kmy3BWMbECuZzMuSw oCJ9hlZjxHDx9qAXz3HQKj0P1mTU9DvPqEyJvn5D/YxKM5YQJCyz6QWsianZWu0c CZvBPKd07W/pNf9GOJEaoLdLNhzqatLtybcu3lf0y1Dk5gRSF1qo0n8vkS/BUOOD 4jWiIr/2h3N0w6EfZt26uKJ9ps+I4PpcHirhCR3C7KHx4zVFcPU= =AZKI -----END PGP SIGNATURE-----