-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Apr 2022 18:22:30 +0200 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.13-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Changes: python-django (2:3.2.13-1) unstable; urgency=high . * New upstream security release: . - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra(). . QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. . - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL. . QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. . See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/> for more info. Checksums-Sha1: 6d0a7466579d14d93b9583910a2c9b953ed111dc 2807 python-django_3.2.13-1.dsc 3440b3d27bcd41f6a9954ab9584593ede769f41d 9813985 python-django_3.2.13.orig.tar.gz d2435321284b5a70f22f174929d87b1a8648492d 35712 python-django_3.2.13-1.debian.tar.xz 81a85a17823e53499156da30c7a0cb446bcdfd7c 8132 python-django_3.2.13-1_amd64.buildinfo Checksums-Sha256: e5804ddf02f40011d1a922d7e00f6e8d1f57a86750271f9e0cbd4c6c68fbaefe 2807 python-django_3.2.13-1.dsc 6d93497a0a9bf6ba0e0b1a29cccdc40efbfc76297255b1309b3a884a688ec4b6 9813985 python-django_3.2.13.orig.tar.gz 88e639d8478ae0c1599b36c3678bc297145cac297333426e371cb86bb238e474 35712 python-django_3.2.13-1.debian.tar.xz 6cbb335ba3d4682638ab0a04f57c7feffad2300ac3aa40e9e55fed6955d8f015 8132 python-django_3.2.13-1_amd64.buildinfo Files: 2a3eefdbda9899e3f0f4108df33bda07 2807 python optional python-django_3.2.13-1.dsc fc8b0799ebe689fac24f13384b450c00 9813985 python optional python-django_3.2.13.orig.tar.gz 17857ec3f28c661fbcb5888fdb4bb348 35712 python optional python-django_3.2.13-1.debian.tar.xz 03174326e113599fcbbbe18da25da940 8132 python optional python-django_3.2.13-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmJVrNcACgkQHpU+J9Qx HlizgRAAjjsxWAwWR0Pl8RLyAhuKdVh0GuanVhxkayF7NBGhtH0RlwbWe+b3t3tt gKVzBJE/ZMZ4+4NHQYHZKlCPL3KIw7Q1IPwcIWHMDLIwEsNQLvN2C+qL1sL9QzEA E0bljQVM2xtq238dIixs0I6BV2w+INc7i41SK70CXW44a2l7bpJLErK36qYP8EaO wAqjeBZi/u1YHBRAobXxgPrkiuR442GNm+9O3mIEHKKgRTXJoKrAn1GiS8tH7MOe oyjNp8FVbZjUmpHxbWrSesOZhKfHBWoK1FxeCiichM3guy+z/XF3umqfnqtOMHX3 M0jydlUKlJbzl4m7kXW2ON4qdJXNTpGaq7KQ6DZ+Vk7kSSdfOZqW4ELM3VMhv5bO +aT7BRi0gJ7q+cbVZIlMgMXZorru8hQalegzozYzhZMX+UXZTnph3fX66VGKa7Pp Bt6y0gNAUmbsplaemVZWCt6ch1p79+d1dv8CQvbpXmp0rcDtX3jTjcBICxieM+pk 1vZ89G9lRe1x0w6Ek+WzBz8pTzvxMq6CX7ckj7uNzgPkzcX1Pti/aeJtkQEs78Cx AFh8x+eoRRZrRt0AOh1xS48d0CCbglIzTnU5XCa76cCUW/2e3k19Czug2uQtwA+D sygypEDmzP+qluAAbgZqWOUtIn5tJrv+6aRwteeGvm00ThaPQeQ= =sbzN -----END PGP SIGNATURE-----