-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 03 Sep 2024 12:23:16 +0100 Source: python-django Binary: python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 3:4.2.15-1~bpo12+1 Distribution: bookworm-backports Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework Closes: 1037920 1040225 1051226 1076069 1078074 Changes: python-django (3:4.2.15-1~bpo12+1) bookworm-backports; urgency=medium . * Rebuild for bookworm-backports. . python-django (3:4.2.15-1) unstable; urgency=high . * New upstream security release. (Closes: #1078074) . - CVE-2024-41989: Memory exhaustion in django.utils.numberformat. . The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. . - CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize. . The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. . - CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget . The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. . - CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() . QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. . <https://www.djangoproject.com/weblog/2024/aug/06/security-releases/> . python-django (3:4.2.14-1) unstable; urgency=medium . * New upstream security release. (Closes: #1076069) . - CVE-2024-38875: Prevent a potential denial-of-service in django.utils.html.urlize. This method (and urlizetrunc) were subject to a potential DoS attack via specially-crafted inputs with a very large number of brackets. . - CVE-2024-39329: Avoid a username enumeration vulnerability through timing difference for users with unusable password. The authenticate method of django.contrib.auth.backends.ModelBackend method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. . - CVE-2024-39330: Address a potential directory-traversal in django.core.files.storage.Storage.save. Derived classes of this method's base class which override generate_filename without replicating the file path validations existing in the parent class allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. . - CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters. . <https://www.djangoproject.com/weblog/2024/jul/09/security-releases/> . python-django (3:4.2.13-1) unstable; urgency=medium . * New upstream bugfix releases. <https://docs.djangoproject.com/en/5.0/releases/4.2.12/> <https://docs.djangoproject.com/en/5.0/releases/4.2.13/> . python-django (3:4.2.11-1) unstable; urgency=high . * New upstream security release: . - CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665. . <https://docs.djangoproject.com/en/dev/releases/4.2.11/> . python-django (3:4.2.10-1) unstable; urgency=high . * New upstream security release: . - CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. . <https://docs.djangoproject.com/en/dev/releases/4.2.10/> . python-django (3:4.2.9-1) unstable; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/dev/releases/4.2.9/> . python-django (3:4.2.8-1) unstable; urgency=medium . * New upstream bugfix release. <https://docs.djangoproject.com/en/5.0/releases/4.2.8/> . python-django (3:4.2.6-1) unstable; urgency=high . * New upstream security release. . - CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator. . Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. . The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. . The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. . <https://www.djangoproject.com/weblog/2023/oct/04/security-releases/> . python-django (3:4.2.5-2) unstable; urgency=medium . * Upload 4.2.x branch to unstable with a -2 suffix to prevent collision with previous upload of 3:4.2.5-1 to experimental. . python-django (3:3.2.21-1) unstable; urgency=high . * New upstream security release: . - CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri(). This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (Closes: #1051226) . <https://www.djangoproject.com/weblog/2023/sep/04/security-releases/> . * Refresh patches. . python-django (3:3.2.20-1.1) unstable; urgency=high . [ Gianfranco Costamagna ] * Non-maintainer upload. . [ Graham Inggs ] * Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155, Closes: #1037920) . python-django (3:3.2.20-1) unstable; urgency=high . * New upstream security release: . - CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator. . EmailValidator and URLValidator were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. (Closes: #1040225) Checksums-Sha1: f6ea9986d6260f39a1c36dd23a0e368b30ede18d 2796 python-django_4.2.15-1~bpo12+1.dsc 82d4afdf4c3210cf399eaebe287d4012a49444ff 10418066 python-django_4.2.15.orig.tar.gz 92cb710894ef60eac54968f71596a4fb7495034d 32020 python-django_4.2.15-1~bpo12+1.debian.tar.xz 18717a25d0483c58ba3df1d243173abdffc03718 3014668 python-django-doc_4.2.15-1~bpo12+1_all.deb 162fd6780e848583fa0dcadb5a5d8d71469df596 8112 python-django_4.2.15-1~bpo12+1_amd64.buildinfo 3705609d74baccfa7ead57803e19f3628fe5ee1e 2736316 python3-django_4.2.15-1~bpo12+1_all.deb Checksums-Sha256: 193860b7087c3cf7b3163aba05017ee7f546295a34558fd78e6cd2fc2985fe64 2796 python-django_4.2.15-1~bpo12+1.dsc c77f926b81129493961e19c0e02188f8d07c112a1162df69bfab178ae447f94a 10418066 python-django_4.2.15.orig.tar.gz a8171cf187ae4eaa8c23aba7eac1709c22cdd917835c3a85c4a4f949d7b91682 32020 python-django_4.2.15-1~bpo12+1.debian.tar.xz d2f14bd38afe9201e9f3a995b443d2c8b5ff68600fb273211aa3e3bd5330b756 3014668 python-django-doc_4.2.15-1~bpo12+1_all.deb e06ddbcbd974e5d52801ea9c788b24258fd78f1c17409137b30b51e7e7e4853d 8112 python-django_4.2.15-1~bpo12+1_amd64.buildinfo c690a675b2d8f79453369154a672eefad004383efba9148d4f2845270f4e5ff9 2736316 python3-django_4.2.15-1~bpo12+1_all.deb Files: 7ed2d94e314241989e8e9be14fef99ee 2796 python optional python-django_4.2.15-1~bpo12+1.dsc a828465eb577e2b4c9a34b9839b33bef 10418066 python optional python-django_4.2.15.orig.tar.gz 3f2c4e6244493563dfb56badcfe7f3e1 32020 python optional python-django_4.2.15-1~bpo12+1.debian.tar.xz 7804e1d09c292a25be5aef2fec54d61b 3014668 doc optional python-django-doc_4.2.15-1~bpo12+1_all.deb 6b39ba3be0f69f6808aab042566db7d3 8112 python optional python-django_4.2.15-1~bpo12+1_amd64.buildinfo 2a318c83d0bd8963b5a15f270665df67 2736316 python optional python3-django_4.2.15-1~bpo12+1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmba7M8ACgkQHpU+J9Qx Hlhj5g//dwqXD+nquSJkEI/tZVxxs5WCFwH1eBxxeYAfi06pYLnm+mQXdln2If97 +O7TSJ37alnCRQTaV+BJKGDzZDPGavv3c45pdWIrGmLos4lPbrwFu97mqYcR2PDu 4mxXGM+GTD0tpzl/XZi+g2hYg28Z+GsHB+iI3vDwDXrHf6q6xvZi72yFH23bY4o4 YATkvn5u7Ir8CP880vM+CXlxrbs0j8M2sjBbQ1e0Z811g9rHK8U8GjTM5noK1kTV 2Gb9mxSND9LioPhT8opNNqvUwT4VNJhigap8IFlI6/TDPo2KIFpKCX8EHXEBY5tq 7g3lV1MH3FnPLx15meoYQ+CHnmW6yJQGNSOlHQDN0wjR5UkAv+V0IPQ7LCg8CnvT mz8z9CKZeqi9pz6uY1G76iDYd6hMQEaSGC+65155Kmd/ycRlfNwpeFt7zUlhbRIB vPwIVdmihZ19XRg59BmdZjKi3pZ4F3p0mnJlAzj2LGv7QcWTh+2wD100BFKajZ17 DpiNMLlW0AnRjHlj8nwBGJc+X+aHv9dAl7UfAzB+pCr5dKr5aN9CFBVVYS7J2kUb r6d5NOml/7G9PezhVE7ZAviLK4cMrgWnY+ktzms5XaM69RIyElNFwyzBmX9URDuh J6teaEoNmgVKQJxeKsXyCgusWRfEqKZhslnbSrX/ZxcP6lHb7s4= =pozj -----END PGP SIGNATURE-----
