Accepted python-django 3:4.2.18-1~bpo12+1 (source) into stable-backports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Feb 2025 09:39:21 +0000
Source: python-django
Architecture: source
Version: 3:4.2.18-1~bpo12+1
Distribution: bookworm-backports
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1078074 1082209 1093049
Changes:
 python-django (3:4.2.18-1~bpo12+1) bookworm-backports; urgency=medium
 .
   * Rebuild for bookworm-backports.
 .
 python-django (3:4.2.18-1) unstable; urgency=high
 .
   * New upstream security release. (Closes: #1093049)
 .
     - CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
       validation.
 .
       A lack of upper bound limit enforcement in strings passed when performing
       IPv6 validation could have led to a potential denial-of-service (DoS)
       attack. The undocumented and private functions clean_ipv6_address and
       is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
       form field, which has now been updated to define a max_length of 39
       characters. The GenericIPAddressField model field was not affected.
 .
     <https://www.djangoproject.com/weblog/2025/jan/14/security-releases/>
 .
 python-django (3:4.2.17-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix CommandTypes.test_help_default_options_with_custom_arguments test on
     Python 3.13+ (closes: #1082209).
 .
 python-django (3:4.2.17-1) unstable; urgency=medium
 .
   * New upstream security release:
 .
     - CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
       The strip_tags() method and striptags template filter were subject to a
       potential denial-of-service attack via certain inputs containing large
       sequences of nested incomplete HTML entities.
 .
     - CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
       Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle
       was subject to SQL injection if untrusted data is used as a lhs value.
       Applications that use the jsonfield.has_key lookup through the __ syntax
       are unaffected.
 .
     <https://www.djangoproject.com/weblog/2024/dec/04/security-releases/>
 .
   * Refresh patches.
 .
 python-django (3:4.2.16-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2024-45230: Potential denial-of-service vulnerability in
       django.utils.html.urlize(). urlize and urlizetrunc were subject to a
       potential denial-of-service attack via very large inputs with a specific
       sequence of characters.
 .
     - CVE-2024-45231: Potential user email enumeration via response status on
       password reset. Due to unhandled email sending failures, the
       django.contrib.auth.forms.PasswordResetForm class allowed remote
       attackers to enumerate user emails by issuing password reset requests and
       observing the outcomes. To mitigate this risk, exceptions occurring
       during password reset email sending are now handled and logged using the
       django.contrib.auth logger.
 .
   * Bump Standards-Version to 4.7.0.
 .
 python-django (3:4.2.15-1) unstable; urgency=high
 .
   * New upstream security release. (Closes: #1078074)
 .
     - CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
 .
       The floatformat template filter is subject to significant memory
       consumption when given a string representation of a number in
       scientific notation with a large exponent.
 .
     - CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
 .
       The urlize() and urlizetrunc() template filters are subject to a
       potential denial-of-service attack via very large inputs with a specific
       sequence of characters.
 .
     - CVE-2024-41991: Potential denial-of-service vulnerability in
       django.utils.html.urlize() and AdminURLFieldWidget
 .
       The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
       widget, are subject to a potential denial-of-service attack via certain
       inputs with a very large number of Unicode characters.
 .
     - CVE-2024-42005: Potential SQL injection in QuerySet.values() and
       values_list()
 .
       QuerySet.values() and values_list() methods on models with a JSONField
       are subject to SQL injection in column aliases via a crafted JSON object
       key as a passed *arg.
 .
     <https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
Checksums-Sha1:
 8a7ec2ce56ad136b637f5b4a46b0f67bdcee403f 2925 python-django_4.2.18-1~bpo12+1.dsc
 68c5ee4216bc1a662aa442bbacc2d6ee9caf997d 33428 python-django_4.2.18-1~bpo12+1.debian.tar.xz
Checksums-Sha256:
 b3c36fb6c34f72437a9d9e060ac254ea2453e793ced1034537a0343571c53ebe 2925 python-django_4.2.18-1~bpo12+1.dsc
 b8f3b6fa9973ad6bab3a919260232ba94aaaa759edd12f0cbacea878027d9d47 33428 python-django_4.2.18-1~bpo12+1.debian.tar.xz
Files:
 cc29860c471ae6079b7621adb0ecd15e 2925 python optional python-django_4.2.18-1~bpo12+1.dsc
 98792f7126d89bce3fffcaa95a73b924 33428 python optional python-django_4.2.18-1~bpo12+1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmejNJgACgkQOTWH2X2G
UAvagA/+M8pUBsrvSRpHYvGyjB784dfZgEvO1Yb1qD+5uvDZHD89wbl4CX2iMbge
NFgZPNQNq2eQ66JYUBg+4b7y6NByberaftvLDSmaxRZYU8m7mQlvCQYPc4zdr013
xHu0WkIJEVxpdHTWrVi+tpQkTQ7+sKKPmzlruiH65clNdomaVI9h9mqtlgPiK+MU
Mc34bxqMhRtpZUAyiBm+1+1cbVfsI/pS9+IHvFyWBWsFarSj+PLx3umJPOvF/Lvw
8FA/CIkbItm/P7kxdS8IkSY6ONC02U+IkUdMHayKVWjG219t5bRaivTp3nTe9gvI
2wwEpEb9Tb74xzthxL8KJMg9oChjwg9/w0/HcIH8KU5eFPXXN2ZNiTpeFMCiZEH8
tERgxoz2ML8PTTPnq+MnsjRyr11P2KjhDhHLnmawlwvD5nQhSGSViOHiEtFW67dI
RvzbGpq2cVbumJgkJrnm1RB9vn+7ajjcrKO9KjUNkhuwDwAuheNMWLZ1zwBztMwd
5rjvFWxj3ac9g0zhzRAJqFR+wplwFNCmcAV6HXajhQv4FuICT3TdI+2u22Y07t8c
3lmmnzAumP1bgcjEHLkFpqKUgb+0Qkk0ymYYWHYSBByWtQTPUa/MfSStJ1BsE9Zb
eKezFKPUZlVpfVtqsfXgVkYOmC4tQT4wBaxQsxw07fs7Rqc4vuE=
=iFTy
-----END PGP SIGNATURE-----