-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 18 Feb 2022 09:51:31 -0800 Source: python-django Binary: python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 2:3.2.12-1~bpo11+1 Distribution: bullseye-backports Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Closes: 1003113 1004464 1004752 Changes: python-django (2:3.2.12-1~bpo11+1) bullseye-backports; urgency=medium . * Rebuild for bullseye-backports. . python-django (2:3.2.12-1) unstable; urgency=high . * New upstream security release: . - CVE-2022-22818: Possible XSS via {% debug %} template tag. . The {% debug %} template tag didn't properly encode the current context, posing an XSS attack vector. . In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True. . - CVE-2022-23833: Denial-of-service possibility in file uploads. . Passing certain inputs to multipart forms could result in an infinite loop when parsing files. . See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/> for more information. (Closes: #1004752) . python-django (2:3.2.11-2) unstable; urgency=medium . [ Chris Lamb ] * Fix compatibility with SQLite 3.37+. (Closes: #1004464) . [ Salman Mohammadi] * Drop references to the deprecated python3-memcache package. . [ Mattia Rizzolo ] * Add a Breaks against python3-django-countries (<< 7,1~). * Add a Breaks against python3-django-tables2 (<< 2.3.4) (see #985774). . python-django (2:3.2.11-1) unstable; urgency=high . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) Checksums-Sha1: 3fce32b5190c1a53726509796a881cceed2731e6 2839 python-django_3.2.12-1~bpo11+1.dsc 93f6c3f0fd89f5c5a44dee688e752a258900a54e 9812448 python-django_3.2.12.orig.tar.gz 15772d200a135f0b3f24688863350204a919f1a8 35592 python-django_3.2.12-1~bpo11+1.debian.tar.xz d0abe56beebac536df6c95cb0e43208a0f46ea07 2839248 python-django-doc_3.2.12-1~bpo11+1_all.deb b2e3bc236870f8157485b5e25b248d7350d38852 8109 python-django_3.2.12-1~bpo11+1_amd64.buildinfo 27512f8d30ba77df565d04609c061b0373d965ef 2838388 python3-django_3.2.12-1~bpo11+1_all.deb Checksums-Sha256: ec557b611ba293a0b5dbb9c3a1ace1b21efa34e979caaf048edb3b5a7d047daa 2839 python-django_3.2.12-1~bpo11+1.dsc 9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2 9812448 python-django_3.2.12.orig.tar.gz 2ba0392c4942686cd254463bd50d28aa66b2b2e91a3ce3a432b2798cd8148ddd 35592 python-django_3.2.12-1~bpo11+1.debian.tar.xz 921c1b88fc5d819159aca6c64925516c84fad952a36bd7dcb2783f7200934afe 2839248 python-django-doc_3.2.12-1~bpo11+1_all.deb 896b8518c90ef3d76fb6912010a469f53c1e9d244669054e81fad15457ecc41b 8109 python-django_3.2.12-1~bpo11+1_amd64.buildinfo 849e8fcda874bfe7078f3191a22dcafaad08cfb264fcf1e454a9aa457ff55373 2838388 python3-django_3.2.12-1~bpo11+1_all.deb Files: 52bd7ede15de126c99580348b0e522f9 2839 python optional python-django_3.2.12-1~bpo11+1.dsc 1847b2f286930a9d84e820a757e3a7ec 9812448 python optional python-django_3.2.12.orig.tar.gz af05701390efb3062760c427ed3ec8b6 35592 python optional python-django_3.2.12-1~bpo11+1.debian.tar.xz faa700463beea2d4aa5c1084347a0cff 2839248 doc optional python-django-doc_3.2.12-1~bpo11+1_all.deb 1d7aee766019259949cebe13e54c2c8b 8109 python optional python-django_3.2.12-1~bpo11+1_amd64.buildinfo cfc1ef4264feb0b0cac51d74c1788484 2838388 python optional python3-django_3.2.12-1~bpo11+1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmIP3b8ACgkQHpU+J9Qx Hlh6BQ//SLXVJ7XWLeJ8R+6GwTcoSxIdpcVl9EZUzFtCFYKrWqlXqCC2OBKE+UGW 4Wl+hIrl9UHPvRm9xK4vO+wOwJTloYOFPrgSBJSVTkI2ty4yG/bw0Nwc8ZRKg9TV xG1b3FG5u84GeZBlgnWXJmlzB6NPMu9gA9uFu/qPvlF937XevaJmkVSiLK+GEsNd 9lR//4LUTl9gruVwVrodu65hKvdCEX0XzrUaA5mEMFoGD/pesD899GKC0CcxiTBW UUc470jvlFIQQGwep/UP1aTL6KJKklLbyFtctoLqYqcczg7e0FQjtjIEFD7xKElW YGCNdRN7NR0MV/8vcIFnKKbrO6tBfvARk0KUT9PbHv7WeGBMwc1LFNaV72veDfAM qBWeW4tTVsxksqfWpE46FFNkJxkxR/YwDabby9XmfJshEW8085FL3DWyOKGBBsU1 PFJDxAQT047q58SYY/hSMYFsKJPjMI+MA2kVCZ6Eisp9TLXcNxfroViMefn/qEqR NSjHxAiAstda0EBcMAvD7N5yeCEsynArmAgE+0GXGO1f5QfWNB/5Jq8vOd1EjQud PtiuoAOYEh7Jmhf0nbm/0hjj1pCVVWHP5NWcNP2vFYUJPrPuj00IzuzaMsxgXNIE 8UBzy6HQ8Afj+iDUaBAPTB0WxDzePQg31hwyEdwa0j1lktSLRgU= =xWtt -----END PGP SIGNATURE-----