Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted python-django 2:2.2.28-1~deb11u1 (source all) into proposed-updates
Date: Thu, 20 Oct 2022 20:42:38 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 14 Oct 2022 10:02:41 -0700
Source: python-django
Binary: python-django-doc python3-django
Architecture: source all
Version: 2:2.2.28-1~deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Closes: 1004752 1009677 1014541
Changes:
 python-django (2:2.2.28-1~deb11u1) bullseye-security; urgency=medium
 .
   * New upstream security release:
     <https://docs.djangoproject.com/en/4.0/releases/2.2.28/>
 .
     - CVE-2022-28346: Prevent a potential SQL injection in QuerySet.annotate(),
       aggregate() and extra(). These methods were subject to SQL injection in
       column aliases. (Closes: #1009677)
 .
     - CVE-2022-28347: Prevent a SQL injection attack via
       QuerySet.explain(**options) when using the PostgreSQL database.
       QuerySet.explain() method was subject to SQL injection in option names.
       (Closes: #1009677)
 .
   * Incorporates changes from previous 2.2.27 security release:
     <https://docs.djangoproject.com/en/4.0/releases/2.2.27/>
 .
     - CVE-2022-22818: Prevent a possible XSS vulnerability via the {% debug %}
       template tag. This tag didn't correctly encode the current context,
       posing an XSS attack vector. In order to avoid this vulnerability, {%
       debug %} no longer outputs information when the DEBUG setting is False,
       and it ensures all context variables are correctly escaped when the
       DEBUG setting is True. (Closes: #1004752)
 .
     - CVE-2022-23833: Prevent a denial-of-service opportunity in file uploads.
       Passing certain inputs to multipart forms could result in an infinite
       loop when parsing files. (Closes: #1004752)
 .
   * Additionally backport the following patches from upstream:
 .
     - CVE-2022-34265: Prevent an issue with the Trunc() and Extract() database
       functions which were potentially subject to SQL injection if untrusted
       data was used as a kind/lookup_name value. Applications that constrain
       the lookup name and kind choice to a known safe list were unaffected by
       this vulnerability. (Closes: #1014541)
 .
     - CVE-2022-36359: Fix a reflected file download (RFD) attack that could be
       exploited if the application sets the Content-Disposition header of a
       FileResponse derived from user-supplied input.
 .
     - CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
       internationalised URLs that was exploitable via the "locale" parameter.
       This is now escaped to avoid this possibility.
Checksums-Sha1:
 9cddce1870db7624f6e9b8cdcf98653eec45d41d 2811 python-django_2.2.28-1~deb11u1.dsc
 0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz
 b78623bbfa58f320c83472c8a8ef2c0b66a03e09 31420 python-django_2.2.28-1~deb11u1.debian.tar.xz
 45c5ff3bd4c47eca4fe153b91d7cd36f39a38b03 3180904 python-django-doc_2.2.28-1~deb11u1_all.deb
 a07943d495cd7b90db6c3312bffb2f701da61557 13889 python-django_2.2.28-1~deb11u1_amd64.buildinfo
 c4452496092e117a41a7f7a69dbad62c41ab665d 2684524 python3-django_2.2.28-1~deb11u1_all.deb
Checksums-Sha256:
 60f516ebc4090d52fea1603e35bed69a4b20276d3ec67d33af14ccee7c8c692b 2811 python-django_2.2.28-1~deb11u1.dsc
 0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz
 fdd1152d77b4e4ddeeabf570f101facb17f29c25600ea124d1972bccbfaf9a38 31420 python-django_2.2.28-1~deb11u1.debian.tar.xz
 098509e19f190d4944e6a0ffb85056c8269b91e672981efb72513473d397f17c 3180904 python-django-doc_2.2.28-1~deb11u1_all.deb
 2ae3aa1df653b2b7263cc3cff665565c5278a68a117220d66cb7318b864eaeeb 13889 python-django_2.2.28-1~deb11u1_amd64.buildinfo
 0df5e64763f7ec5c6023cb5b7d0df1136b0573735db30ab3d5a1f723ae2520e7 2684524 python3-django_2.2.28-1~deb11u1_all.deb
Files:
 1bded5ba447331b41628246ab0830184 2811 python optional python-django_2.2.28-1~deb11u1.dsc
 62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz
 a21053bbb107df253aabfe9afee729e2 31420 python optional python-django_2.2.28-1~deb11u1.debian.tar.xz
 2f3eaf451296f52b24342a687011f279 3180904 doc optional python-django-doc_2.2.28-1~deb11u1_all.deb
 b3262db3c110b64f59e87aab36999543 13889 python optional python-django_2.2.28-1~deb11u1_amd64.buildinfo
 6e0a9e69aa96b9fa74fd0f99e98854f5 2684524 python optional python3-django_2.2.28-1~deb11u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNJticACgkQHpU+J9Qx
HlgqQBAAnn8Wdktc4ctzmqkoYXPl24oj6gBGJSXBfwXSaz5Z80FEovL9U37RBBC8
UyFlwt4VVqq1wgMgYhP0ubxSh2w2XeO27Q28iIULtCzt/z7S88ZyQGurYBz99+7/
++AbirEK4nqjlUo02Nl4GJnzPPnjl+dIbw1e9njeDG+6lZ7MW07bUUf8+PJ+nkhA
owDdM5+ozOayW1Y9u3rhqw0X501DK1jAb93SuhJTxkTm7ISp+hnvj7ZNzIG5e1n7
AWE4xc1UpFXMYwP1NShbppBDOx0HG9wyqGZ34kuEgQZJeGQm1RHqlTg1xIgJ8rz7
FBYOUHqan1VUvs0pfq5hjTt5/DpRu7IGEapw+jAcNMP7zTlqDBD3lhrUUkzOqsRk
mcEOByaltcMQs+OfQH/C/Hi2c8C+kA1Ztpwpp3Bc3wXDqcLJn3onziDg8gsSrYbY
y2IAqdmTxdp/fvzNVQuep3GKzMifeqycnubXjyQU6Muyl7CofT5IQpLHpgRj7aCq
NQEYjhKgU2eTzmQMT2XvV5Ou2tQT37OftmpH1r+yq2f+ADLolL+6Oe3uoirnnJBm
BGwWwT8n7peqSqNt/oqc80mjSlKwXlBsY0f+Z1jJlXGxmnN+ckX/m34GvyrNbWqI
O9towxUvN9f9TyhT0twSGIvs2b46QOKqRy2JBcd4Pfs6Pybqo88=
=kczC
-----END PGP SIGNATURE-----
News for package python-django
