-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jan 2022 12:35:16 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.11-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1003113 Changes: python-django (2:3.2.11-1) unstable; urgency=high . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) Checksums-Sha1: 65976c9ce24d08d5a1e9e7d358281a430c512b56 2807 python-django_3.2.11-1.dsc 2a6c6ad3a7979f26e1ebf9489ec68eaa2bdef6cd 9821958 python-django_3.2.11.orig.tar.gz 39a6e2055bbed12bc9860f0114336e136340f4cf 34244 python-django_3.2.11-1.debian.tar.xz a93220b0fd4e61f093b0b46b865d19db3a5cce25 7979 python-django_3.2.11-1_amd64.buildinfo Checksums-Sha256: 4fc271234dfa156b49b4f7cac8f47388c3dd35c7ccb152c1a5453e7490cf530b 2807 python-django_3.2.11-1.dsc 69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75 9821958 python-django_3.2.11.orig.tar.gz 0a54468ae6869cfbe15f4770818fcf1c0f59dce3299390707346a9148537a6f2 34244 python-django_3.2.11-1.debian.tar.xz c97509346848cdc8f4e148a7c7e4c34c4bef560940baa7b2c1347a61683e9846 7979 python-django_3.2.11-1_amd64.buildinfo Files: d21c95b006db9c0772c57d5c77a09c48 2807 python optional python-django_3.2.11-1.dsc 6c4a53d2ccb464bc3dd772c6f2f07df9 9821958 python optional python-django_3.2.11.orig.tar.gz 9c3515e7da562938b2fe2db3b6081f7f 34244 python optional python-django_3.2.11-1.debian.tar.xz 5b10b781ffb89bfa98734d6d1ac46b32 7979 python optional python-django_3.2.11-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUXHwACgkQHpU+J9Qx Hlg5qxAAiyxmddPPLEPv1aO/nUxRVA/7tEzC0SI1wLDTRPYiGUS21ktLNGXmPJgX B6ehFrsnvq3TFiwRRhgv4e8DeYaZlIS+vID0H8cJKLjlwp7jhnXpAwIhw3QrpX5n yhzK77LIbnCe6hZE4j5B3NEl4EcjdAKyHrb/cLSba9RQwKPPKdxG19gbG2cJ8i4p LZ6z5NpmyVHXReMsjSHJCidVbEI1jntiJcqwTPgW/tVcENXTh4zgVvijqHkv7wnj nNGIdI1uK/nPa3u6duBRS0hdLZmNAcWB5NTyDY+Y3Ew/MsRQCtA1cobThew7b1Dx 6V4aGWru5iJea66vrMGFYAayA/RlbyeN/OfGaTdb2LA8Uu/vbzhdisHWXefe/i7R XIz6n1XahUzt/6809uUgjoxviGJLHG/EjsXi21Pf04p+cLADLH1BmwUF/L5HEOSp e64aq159FGFIv5oElkvS1I8HKsjYMQ30+WX+k1tycvTu/uXM0fI9KszEvOI1Mzhs cFDUXKxFszroRlk5he7Oi3W1eEPVWaba4DCgV4RkfvOf9zmCOmz6xqVUFAiRHYFq 47hqiV9A41nedEpMpgFoL7E65nHniAn6/d5azfZeRhDnf88JY3NeN9ZPnn12lJAb jf+TqTwwFnTAgjdwndqeF3+GuxMBhymPYXCW3poGOJGgod2FPSc= =xGpu -----END PGP SIGNATURE-----