-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Apr 2022 18:13:56 +0200 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:4.0.4-1 Distribution: experimental Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: python-django (2:4.0.4-1) experimental; urgency=high . * New upstream security release: . - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra(). . QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. . - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL. . QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. . See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/> for more info. Checksums-Sha1: f10bdb5b2abe39d82107d5709714add568c6b8c2 2782 python-django_4.0.4-1.dsc 81855aaf0a5157dde385a9a9420b5cb0eea3a910 10388499 python-django_4.0.4.orig.tar.gz d0296388cec5f526092e7f04795aa4a1535c7539 28648 python-django_4.0.4-1.debian.tar.xz 7a51edaa22a1b1ed6c292d6652f3dc771d9dd45b 7958 python-django_4.0.4-1_amd64.buildinfo Checksums-Sha256: 5aa6ec44f076e9ef3be1722c3eb867cd234583cde8c536e389c2feefc372b9db 2782 python-django_4.0.4-1.dsc 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5 10388499 python-django_4.0.4.orig.tar.gz 4688c09e834bd8c682fb0a961e3c45c0a27496ea6858d85f83eec0de34b7d35d 28648 python-django_4.0.4-1.debian.tar.xz e19186690f8b7e8222aa358eee776bc1d927a6ab1a6df59f09a646e4aba30d0f 7958 python-django_4.0.4-1_amd64.buildinfo Files: 78e1ad9d2b380c738ac7f27e7ca62ca9 2782 python optional python-django_4.0.4-1.dsc 153fcb5dd7360b7ad219d65cb53e2d57 10388499 python optional python-django_4.0.4.orig.tar.gz abf399c88ce4f1ff7bbf24be008acf29 28648 python optional python-django_4.0.4-1.debian.tar.xz 19a0770c76b09bdf42fb1a0b250dfe23 7958 python optional python-django_4.0.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmJVptEACgkQHpU+J9Qx Hlj++w/8DVsd/WbKCd33JNIr15UmOnjTpO7fikb9a1ALNT7fhDB5WlIKJ7lrQNSl vlRXQSI3LmXrmvHmhlNLVopcvb5IdhcCavIMupwNuk085VE6bvils0T6apmzYe8T 6O6TSLhR/FlPU6Gw/V0jgo7eqEwVFzH+tJ1/FrWl1N4KBIbK56Nkvtp1Ssd35oyD GizfMR1uYgdybyUueDsmX+UElEuYxjX4LrcA2oe9mGVYSiCH/6OgdF0SJQ0O7juu BPPDTM/aI878RAscF/7aMj1aWNtCWnI2iVPLwhXdPINh7VFtMEl6z+rJZkibxKbM XP3KwOobLjsto+K8291UZvdeHpsvvY0l+mQKM0jXyiH5sdVp0SeICkWU3IElWoY4 5E9z90cp2cSG15epokLg3lPx4sS7fU6LMJi6tCdPLXSR50/iYnwVOmBWVStB8WV1 ySAKop/CKKCWQ5If3vBPu2wFs00NHjlS/BfdkM3fkTjO+aJ0lZdNyjCVdTk8ur+N 3OWxNq+y6hjiu/zhJqM8TC3QSnnU/ptuJKxmU+CfYBmqnHENdmb82RKdPsvLcqsT hzrNY0lj4Grfsr25Bw7WjGzV0SohdiCu8e7wn//HnhcoANyL83qLHZ7CNCBxSmAP NVyIjYD4yRGSGsAWt7B5wIwqbqAOf+VGNf3N+vH9Wi3X1wLVcsw= =diX4 -----END PGP SIGNATURE-----