-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jan 2022 12:03:13 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:4.0.1-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1003113 Changes: python-django (2:4.0.1-1) experimental; urgency=medium . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) Checksums-Sha1: 334bd0b96016d136e5bc06320821020a4f815256 2779 python-django_4.0.1-1.dsc ab735671359bdcbf65caaf3bdb961496567ce28f 9995484 python-django_4.0.1.orig.tar.gz 5767ddee131607a56ea08a89fa869c43d6effc12 27684 python-django_4.0.1-1.debian.tar.xz 93e3e17c02a32b94ba62a76ee50a9d5db0cdede0 7805 python-django_4.0.1-1_amd64.buildinfo Checksums-Sha256: 1358b6fd15630370c9ae35cee1bf79d68139f1256e5b85f18231cd42a51219d4 2779 python-django_4.0.1-1.dsc 2485eea3cc4c3bae13080dee866ebf90ba9f98d1afe8fda89bfb0eb2e218ef86 9995484 python-django_4.0.1.orig.tar.gz 26b583bff2255b3f21d91ab6cff92f95e14a3d148e62ca2243e8590236d45e26 27684 python-django_4.0.1-1.debian.tar.xz b883033dcda5cf69aa967e4bfa5cddb8ff00a3761cc6e50bfd3d826ecadd5a7b 7805 python-django_4.0.1-1_amd64.buildinfo Files: a710a9b6dae09b45f4ff9a5f961cc459 2779 python optional python-django_4.0.1-1.dsc 6d0fba754d678f69b573dd9fbf5e6fa6 9995484 python optional python-django_4.0.1.orig.tar.gz 93b3143810f1b5e994e863736f258220 27684 python optional python-django_4.0.1-1.debian.tar.xz 1c9551d076b824ca0963a03e8dadd6f7 7805 python optional python-django_4.0.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUPf8ACgkQHpU+J9Qx HlhcLBAAnVMrwDWYLjx46NYwI54kRJ+CxHKYH8ZMw0mxog/S0VI16T3mSS11az/M qKf2B4K0AxRklhiaQIGT/qz+jSe+fB90uWtZ1Kcw/iekOcA/SwVHdIsYoe3qNXrc GMJlbO5y4/zcO7kuHAUQyypI//MSXhPQZ10nxcac4x5xzJ/k5NxZVms2mS+D9moW nXyOIjkWeKc4CrxjFFkEqv0A5HduWhAOCSErEF6Wx2CRYfbUfOyle1euAFHsZowh XMXE23rwbasLFKeBATeTsOChMVV9yKOkSLQX7+4q/blTWucDLwjoObcnjNhngAi5 RRiIP9oadjgO2fggdgz/s0TI5yFQRMpCmuxCSqOZg6vrRvZrAOofgr0yRU3hqd0x ux/JQMRMU7dnoY8V79nvEnTknq5aYAwUhPcy2v8vcJQ3v7eJoZscVwC40O2bqcFg yq7DzlCAHfNcugEGXqA4ZJ6F6qU7nR/PNQCddMkQWy90vSORp1p12rzFTms8QcrS bA7d2W/Eygs0PucT/wNthQmhYjmPknOv5e66RUyV5CMjAZubDR+VHdFncEtGWhtz 0CANPxjPV7UqST8mLLVrniHXRUtzKnDoJhJuhkHpLFlD5L1/aUWVHLXdXR1yI6of 3WgJOKt9b68ihsuwWIsQ33TUmPq+l8S6G7Q3JuVL5a2xIp3qw3o= =owU4 -----END PGP SIGNATURE-----