Change log for python-django package in Ubuntu

150 of 365 results
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:4.2.4-1ubuntu2) mantic; urgency=medium

  * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
    - debian/patches/CVE-2023-43665.patch: limit size of input strings in
      django/utils/text.py, tests/utils_tests/test_text.py,
      docs/ref/templates/builtins.txt.
    - CVE-2023-43665

 -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2023 13:53:21 -0400
Published in focal-updates
Published in focal-security
python-django (2:2.2.12-1ubuntu0.20) focal-security; urgency=medium

  * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
    - debian/patches/CVE-2023-43665.patch: limit size of input strings in
      django/utils/text.py, tests/utils_tests/test_text.py.
    - CVE-2023-43665

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2023 13:37:46 -0400
Published in jammy-updates
Published in jammy-security
python-django (2:3.2.12-2ubuntu1.9) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
    - debian/patches/CVE-2023-43665.patch: limit size of input strings in
      django/utils/text.py, tests/utils_tests/test_text.py.
    - CVE-2023-43665

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2023 13:36:26 -0400
Published in lunar-updates
Published in lunar-security
python-django (3:3.2.18-1ubuntu0.5) lunar-security; urgency=medium

  * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
    - debian/patches/CVE-2023-43665.patch: limit size of input strings in
      django/utils/text.py, tests/utils_tests/test_text.py.
    - CVE-2023-43665

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2023 13:00:07 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:4.2.4-1ubuntu1) mantic; urgency=medium

  * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2023-41164.patch: properly handle large number of
      Unicode characters in django/utils/encoding.py,
      tests/utils_tests/test_encoding.py.
    - CVE-2023-41164

 -- Marc Deslauriers <email address hidden>  Mon, 18 Sep 2023 14:41:43 -0400
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.19) focal-security; urgency=medium

  * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2023-41164.patch: properly handle large number of
      Unicode characters in django/utils/encoding.py,
      tests/utils_tests/test_encoding.py.
    - CVE-2023-41164

 -- Marc Deslauriers <email address hidden>  Fri, 15 Sep 2023 09:17:39 -0400
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2023-41164.patch: properly handle large number of
      Unicode characters in django/utils/encoding.py,
      tests/utils_tests/test_encoding.py.
    - CVE-2023-41164

 -- Marc Deslauriers <email address hidden>  Fri, 15 Sep 2023 08:51:14 -0400
Superseded in lunar-updates
Superseded in lunar-security
python-django (3:3.2.18-1ubuntu0.4) lunar-security; urgency=medium

  * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2023-41164.patch: properly handle large number of
      Unicode characters in django/utils/encoding.py,
      tests/utils_tests/test_encoding.py.
    - CVE-2023-41164

 -- Marc Deslauriers <email address hidden>  Fri, 15 Sep 2023 08:39:57 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:4.2.4-1) experimental; urgency=medium

  * New upstream bugfix release.
    <https://docs.djangoproject.com/en/4.2/releases/4.2.4/>

 -- Chris Lamb <email address hidden>  Wed, 02 Aug 2023 07:53:39 +0100

Available diffs

Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:3.2.20-1.1) unstable; urgency=high

  [ Gianfranco Costamagna ]
  * Non-maintainer upload.

  [ Graham Inggs ]
  * Cherry-pick upstream commit to fix URLValidator crash in
    some edge cases (LP: #2025155, Closes: #1037920)

 -- Gianfranco Costamagna <email address hidden>  Tue, 04 Jul 2023 09:31:10 +0200
Superseded in mantic-proposed
python-django (3:3.2.20-1ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Cherry-pick upstream commit to fix URLValidator crash in
      some edge cases (LP: #2025155)

Superseded in mantic-proposed
python-django (3:3.2.20-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2023-36053: Potential regular expression denial of service
      vulnerability in EmailValidator/URLValidator.

      EmailValidator and URLValidator were subject to potential regular
      expression denial of service attack via a very large number of domain
      name labels of emails and URLs. (Closes: #1040225)

 -- Chris Lamb <email address hidden>  Mon, 03 Jul 2023 20:34:24 +0100
Superseded in lunar-updates
Superseded in lunar-security
python-django (3:3.2.18-1ubuntu0.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Potential ReDoS issues
    - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
      EmailValidator and URLValidator in django/core/validators.py,
      django/forms/fields.py, docs/ref/forms/fields.txt,
      docs/ref/validators.txt,
      tests/forms_tests/field_tests/test_emailfield.py,
      tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
    - CVE-2023-36053
  * debian/patches/fix-url-validator.patch: Cherry-pick upstream commit to
    fix URLValidator crash in some edge cases (LP: #2025155)

 -- Marc Deslauriers <email address hidden>  Tue, 27 Jun 2023 09:18:49 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:3.2.19-1ubuntu3) mantic; urgency=medium

  * Drop 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489.patch and
    16729.patch, it seems these are no longer needed
  * Cherry-pick upstream commit to fix URLValidator crash in
    some edge cases (LP: #2025155)

 -- Graham Inggs <email address hidden>  Wed, 28 Jun 2023 11:20:10 +0000
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.18) focal-security; urgency=medium

  * SECURITY UPDATE: Potential ReDoS issues
    - debian/patches/CVE-2023-36053-pre1.patch: fix URLValidator hostname
      length validation in django/core/validators.py,
      tests/validators/valid_urls.txt.
    - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
      EmailValidator and URLValidator in django/core/validators.py,
      django/forms/fields.py,
      tests/forms_tests/field_tests/test_emailfield.py,
      tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
    - CVE-2023-36053

 -- Marc Deslauriers <email address hidden>  Tue, 27 Jun 2023 09:40:09 -0400
Published in kinetic-updates
Published in kinetic-security
python-django (3:3.2.15-1ubuntu1.4) kinetic-security; urgency=medium

  * SECURITY UPDATE: Potential ReDoS issues
    - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
      EmailValidator and URLValidator in django/core/validators.py,
      django/forms/fields.py, docs/ref/forms/fields.txt,
      docs/ref/validators.txt,
      tests/forms_tests/field_tests/test_emailfield.py,
      tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
    - CVE-2023-36053

 -- Marc Deslauriers <email address hidden>  Tue, 27 Jun 2023 09:23:46 -0400
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential ReDoS issues
    - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
      EmailValidator and URLValidator in django/core/validators.py,
      django/forms/fields.py, docs/ref/forms/fields.txt,
      docs/ref/validators.txt,
      tests/forms_tests/field_tests/test_emailfield.py,
      tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
    - CVE-2023-36053

 -- Marc Deslauriers <email address hidden>  Tue, 27 Jun 2023 09:24:13 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
python-django (3:3.2.19-1ubuntu2) mantic; urgency=medium

  * Cherry-pick 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489,
    another Python3.12 retro-compatible change.

 -- Gianfranco Costamagna <email address hidden>  Thu, 04 May 2023 09:22:42 +0200
Superseded in mantic-proposed
python-django (3:3.2.19-1ubuntu1) mantic; urgency=medium

  * debian/patches/16729.patch:
    - cherry-pick and adapt upstream Python3.12 test fix

 -- Gianfranco Costamagna <email address hidden>  Thu, 04 May 2023 09:15:13 +0200
Superseded in mantic-proposed
python-django (3:3.2.19-1) unstable; urgency=medium

  * New upstream security release.
  * CVE-2023-31047: Prevent a potential bypass of validation when uploading
    multiple files using one form field.

    Uploading multiple files using one form field has never been supported by
    forms.FileField or forms.ImageField as only the last uploaded file was
    validated. Unfortunately, Uploading multiple files topic suggested
    otherwise. In order to avoid the vulnerability, the ClearableFileInput and
    FileInput form widgets now raise ValueError when the multiple HTML
    attribute is set on them. To prevent the exception and keep the old
    behavior, set the allow_multiple_selected attribute to True.

    For more details on using the new attribute and handling of multiple files
    through a single field, see:

      <https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>

    (Closes: #1035467)

  * Bump Standards-Version to 4.6.2.

 -- Chris Lamb <email address hidden>  Wed, 03 May 2023 09:32:59 -0700
Superseded in mantic-proposed
python-django (3:3.2.18-1ubuntu1) mantic; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 09:55:57 -0400
Published in bionic-updates
Published in bionic-security
python-django (1:1.11.11-1ubuntu1.21) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 10:05:28 -0400
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 10:00:52 -0400
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.17) focal-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 10:03:19 -0400
Superseded in lunar-updates
Superseded in lunar-security
python-django (3:3.2.18-1ubuntu0.1) lunar-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 09:55:57 -0400
Superseded in kinetic-updates
Superseded in kinetic-security
python-django (3:3.2.15-1ubuntu1.3) kinetic-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden>  Wed, 26 Apr 2023 09:58:35 -0400
Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
python-django (3:3.2.18-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2023-24580: Potential denial-of-service vulnerability in file uploads

      Passing certain inputs to multipart forms could result in too many open
      files or memory exhaustion, and provided a potential vector for a
      denial-of-service attack.

      The number of files parts parsed is now limited via the new
      DATA_UPLOAD_MAX_NUMBER_FILES setting.

      Thanks to Jakob Ackermann for the report. (Closes: #1031290)

 -- Chris Lamb <email address hidden>  Tue, 14 Feb 2023 09:12:57 -0800
Superseded in bionic-updates
Superseded in bionic-security
python-django (1:1.11.11-1ubuntu1.20) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service in file uploads
    - debian/patches/CVE-2023-24580.patch: add limits to
      django/conf/global_settings.py, django/core/exceptions.py,
      django/core/handlers/exception.py, django/http/multipartparser.py,
      django/http/request.py, docs/ref/exceptions.txt,
      docs/ref/settings.txt, tests/handlers/test_exception.py,
      tests/requests/test_data_upload_settings.py.
    - CVE-2023-24580

 -- Marc Deslauriers <email address hidden>  Wed, 08 Feb 2023 10:30:23 -0500
Superseded in kinetic-updates
Superseded in kinetic-security
python-django (3:3.2.15-1ubuntu1.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service in file uploads
    - debian/patches/CVE-2023-24580.patch: add limits to
      django/conf/global_settings.py, django/core/exceptions.py,
      django/core/handlers/exception.py, django/http/multipartparser.py,
      django/http/request.py, docs/ref/exceptions.txt,
      docs/ref/settings.txt, tests/handlers/test_exception.py,
      tests/requests/test_data_upload_settings.py.
    - CVE-2023-24580

 -- Marc Deslauriers <email address hidden>  Wed, 08 Feb 2023 08:53:34 -0500
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service in file uploads
    - debian/patches/CVE-2023-24580.patch: add limits to
      django/conf/global_settings.py, django/core/exceptions.py,
      django/core/handlers/exception.py, django/http/multipartparser.py,
      django/http/request.py, docs/ref/exceptions.txt,
      docs/ref/settings.txt, tests/handlers/test_exception.py,
      tests/requests/test_data_upload_settings.py.
    - CVE-2023-24580

 -- Marc Deslauriers <email address hidden>  Wed, 08 Feb 2023 08:56:44 -0500
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.16) focal-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service in file uploads
    - debian/patches/CVE-2023-24580.patch: add limits to
      django/conf/global_settings.py, django/core/exceptions.py,
      django/core/handlers/exception.py, django/http/multipartparser.py,
      django/http/request.py, docs/ref/exceptions.txt,
      docs/ref/settings.txt, tests/handlers/test_exception.py,
      tests/requests/test_data_upload_settings.py.
    - CVE-2023-24580

 -- Marc Deslauriers <email address hidden>  Wed, 08 Feb 2023 08:58:48 -0500
Superseded in lunar-proposed
python-django (3:3.2.17-1) unstable; urgency=medium

  * New security upstream release.
    <https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>

    - CVE-2023-23969: Potential denial-of-service via Accept-Language headers

      The parsed values of Accept-Language headers are cached in order to avoid
      repetitive parsing. This leads to a potential denial-of-service vector
      via excessive memory usage if large header values are sent.

      In order to avoid this vulnerability, the Accept-Language header is now
      parsed up to a maximum length. (Closes: #1030251)

  * Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch;
    applied upstream.
  * Refresh all patches.

 -- Chris Lamb <email address hidden>  Wed, 01 Feb 2023 08:01:01 -0800
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
python-django (3:3.2.16-1ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden>  Wed, 01 Feb 2023 09:35:23 -0500
Superseded in bionic-updates
Superseded in bionic-security
python-django (1:1.11.11-1ubuntu1.19) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden>  Mon, 30 Jan 2023 08:45:22 -0500
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden>  Mon, 30 Jan 2023 08:37:50 -0500
Superseded in kinetic-updates
Superseded in kinetic-security
python-django (3:3.2.15-1ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden>  Mon, 30 Jan 2023 08:35:46 -0500
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.15) focal-security; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden>  Mon, 30 Jan 2023 08:38:45 -0500
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
python-django (3:3.2.16-1ubuntu1) lunar; urgency=medium

  * d/p/0012-Add-Python-3.11-support-for-tests.patch: Make unit tests
    compatible with Python 3.11 to fix build errors (LP: #2002012)

 -- Lena Voytek <email address hidden>  Fri, 06 Jan 2023 11:02:03 -0700
Superseded in lunar-release
Published in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic)
python-django (3:3.2.15-1ubuntu1) kinetic; urgency=medium

  * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
    - debian/patches/CVE-2022-41323.patch: Prevented locales being
      interpreted as regular expressions in django/urls/resolvers.py,
      tests/i18n/patterns/tests.py.
    - CVE-2022-41323

 -- Marc Deslauriers <email address hidden>  Wed, 05 Oct 2022 08:08:25 -0400
Superseded in lunar-proposed
python-django (3:3.2.16-1) unstable; urgency=high

  * New upstream security release.
    <https://www.djangoproject.com/weblog/2022/oct/04/security-releases/>

    - CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
      internationalized URLs. Internationalised URLs were subject to potential
      denial of service attack via the locale parameter. This is now escaped to
      avoid this possibility.

 -- Chris Lamb <email address hidden>  Tue, 04 Oct 2022 07:51:21 -0700
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.14) focal-security; urgency=medium

  * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
    - debian/patches/CVE-2022-41323.patch: Prevented locales being
      interpreted as regular expressions in django/urls/resolvers.py,
      tests/i18n/patterns/tests.py.
    - CVE-2022-41323

 -- Marc Deslauriers <email address hidden>  Tue, 27 Sep 2022 09:37:54 -0400
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
    - debian/patches/CVE-2022-41323.patch: Prevented locales being
      interpreted as regular expressions in django/urls/resolvers.py,
      tests/i18n/patterns/tests.py.
    - CVE-2022-41323

 -- Marc Deslauriers <email address hidden>  Tue, 27 Sep 2022 09:35:14 -0400
Superseded in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic)
python-django (3:3.2.15-1) unstable; urgency=high

  * New upstream security release.

    - CVE-2022-36359: Potential reflected file download vulnerability in
      FileResponse. An application may have been vulnerable to a reflected file
      download (RFD) attack that sets the Content-Disposition header of a
      FileResponse when the filename was derived from user-supplied input. The
      filename is now escaped to avoid this possibility.

    <https://www.djangoproject.com/weblog/2022/aug/03/security-releases/>

 -- Chris Lamb <email address hidden>  Wed, 03 Aug 2022 07:11:45 -0700
Superseded in kinetic-proposed
python-django (3:3.2.14-1) unstable; urgency=medium

  * Revert Debian unstable to 3.2.x LTS release stream, bumping epoch.
    (Closes: #1016090)
  * Refresh patches.
  * Bump Standards-Version to 4.6.1.

 -- Chris Lamb <email address hidden>  Tue, 02 Aug 2022 09:02:41 -0700

Available diffs

Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential reflected file download
    - debian/patches/CVE-2022-36359.patch: escaped filename in
      Content-Disposition header in django/http/response.py,
      tests/responses/test_fileresponse.py.
    - CVE-2022-36359

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 27 Jul 2022 11:12:17 -0300
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.13) focal-security; urgency=medium

  * SECURITY UPDATE: Potential reflected file download
    - debian/patches/CVE-2022-36359.patch: escaped filename in
      Content-Disposition header in django/http/response.py,
      tests/responses/test_fileresponse.py.
    - CVE-2022-36359

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 27 Jul 2022 11:31:16 -0300
Superseded in kinetic-proposed
python-django (2:4.0.6-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2022-34265: Potential SQL injection via Trunc(kind) and
      Extract(lookup_name) arguments.

      "Trunc() and Extract() database functions were subject to SQL injection if
      untrusted data was used as a kind/lookup_name value. Applications that
      constrain the lookup name and kind choice to a known safe list are
      unaffected."

      "This security release mitigates the issue, but we have identified
      improvements to the Database API methods related to date extract and
      truncate that would be beneficial to add to Django 4.1 before it's final
      release. This will impact 3rd party database backends using Django 4.1
      release candidate 1 or newer, until they are able to update to the API
      changes. We apologize for the inconvenience."

      <https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>

  * Refresh patches.

 -- Chris Lamb <email address hidden>  Tue, 05 Jul 2022 12:38:15 +0100

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
python-django (1:1.11.11-1ubuntu1.18) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential SQL invjection
    - debian/patches/CVE-2022-34265.patch: protected
      trunc/extract against SQL injection in
      django/db/backends/base/operations.py,
      django/db/models/functions/datetime.py.
    - CVE-2022-34265

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 29 Jun 2022 15:19:32 -0300
Superseded in focal-updates
Superseded in focal-security
python-django (2:2.2.12-1ubuntu0.12) focal-security; urgency=medium

  * SECURITY UPDATE: Potential SQL invjection
    - debian/patches/CVE-2022-34265.patch: protected
      trunc/extract against SQL injection in
      django/db/backends/base/operations.py,
      django/db/models/functions/datetime.py.
    - CVE-2022-34265

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 29 Jun 2022 13:44:58 -0300
Superseded in jammy-updates
Superseded in jammy-security
python-django (2:3.2.12-2ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Potential SQL invjection
    - debian/patches/CVE-2022-34265.patch: protected
      trunc/extract against SQL injection in
      django/db/backends/base/operations.py,
      django/db/models/functions/datetime.py.
    - CVE-2022-34265

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 29 Jun 2022 09:29:53 -0300
150 of 365 results