-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 10 Jul 2024 09:50:49 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:4.2.14-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1076069 Changes: python-django (3:4.2.14-1) unstable; urgency=medium . * New upstream security release. (Closes: #1076069) . - CVE-2024-38875: Prevent a potential denial-of-service in django.utils.html.urlize. This method (and urlizetrunc) were subject to a potential DoS attack via specially-crafted inputs with a very large number of brackets. . - CVE-2024-39329: Avoid a username enumeration vulnerability through timing difference for users with unusable password. The authenticate method of django.contrib.auth.backends.ModelBackend method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. . - CVE-2024-39330: Address a potential directory-traversal in django.core.files.storage.Storage.save. Derived classes of this method's base class which override generate_filename without replicating the file path validations existing in the parent class allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. . - CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters. . <https://www.djangoproject.com/weblog/2024/jul/09/security-releases/> Checksums-Sha1: 54849f70429154923684eb1a0bccc177054ed13b 2764 python-django_4.2.14-1.dsc 62b423064e3b75f038bd19729f3252135d399a8e 10432993 python-django_4.2.14.orig.tar.gz 94bba81e15567b37f8444f29297adbe869a8b2c7 31684 python-django_4.2.14-1.debian.tar.xz 9c05576ad5e36418dd1a0f6a2364b58c3a6b6f04 7609 python-django_4.2.14-1_amd64.buildinfo Checksums-Sha256: b04170e1839c204ab68a81bca6502818c02c834b4dd5cb190f4a02afbfe0f7c5 2764 python-django_4.2.14-1.dsc fc6919875a6226c7ffcae1a7d51e0f2ceaf6f160393180818f6c95f51b1e7b96 10432993 python-django_4.2.14.orig.tar.gz 961890b3c800e2bb7a91a458f0431d0fc2d3108adaf9f5783c62d2528c050b1e 31684 python-django_4.2.14-1.debian.tar.xz 26470407949819179ff78a1929d43095e3efe3476bc77ae9f7d9ea0a6d4f2eb4 7609 python-django_4.2.14-1_amd64.buildinfo Files: dfacce4ca122e73ced58e790fd98b488 2764 python optional python-django_4.2.14-1.dsc 34e53943311a2603dd54c46f284136db 10432993 python optional python-django_4.2.14.orig.tar.gz 9c21425a07fe15298b9044242bc3e81f 31684 python optional python-django_4.2.14-1.debian.tar.xz ce86d58018c7d9fd838bdf16e6634978 7609 python optional python-django_4.2.14-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmaOTa0ACgkQHpU+J9Qx HljZ3A//fg0BCuHk3ZvxWM53wx/zfpba6CtQg1nKn80xzdeoMr0glAKF7+6yyQaK WrHsP7S2PL0dfW8JIo0ABHG11GEdubmAKMi95Ne8vQdxPnwBF0AMqZifkE0uB3ub oxl5TzcEoPa7m7JQEUb7pphzf0fLw1Hn850abhjqxbHG9ClQ9EdRSCSD5A/M8IEn 0rJvlVt5eA6+KvM4WrJePhpt3bRBA+iA5IqHe1GcI6hsgYniz4mMhIQO8iEaT1vh FIRG6hmQ6G3/Ie97QsSesE/Q3S1exbZv31fdsUf0DZemNlZvDg5YCOfqV1U29ReK TWCNAxI/2FDDxpZOMx0mEAkjS1Lxgbd7ryN40y0JcuuzcBxWV0W5k46BHHlduOZ5 23rcosa/8/WUMGp8shQm3QDQVi1UfHe9ZtnBHLa3esS93pxzCQnJFhZCfVcJb5+O EYdBdsWj6naFGqX6OZ+iwDFhYn72DcPw2XSxTT87MgJHihYh+e91M3e9R2ntS5KH x9pSN7detF6OIi4iQb7QnhJ7hsIA8ZorI32kirARkujVCYuVMsMN0UvFfr6iSoJW oEKDaVximjWt3Grn314QHGxxDrhBLPQF0HCl4uq3zBsDjateMDPH4Qc4eaUIwzRb osmCXbKVF5q6oPr6BO3rorfl2GvcYabAvjyD9ZvmnZDypTwGXNA= =tkVV -----END PGP SIGNATURE-----
