-
python-django (2:2.2.24-1ubuntu1.5) impish-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:49:47 -0300
-
python-django (2:2.2.24-1ubuntu1.4) impish-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:28:21 -0400
-
python-django (2:2.2.24-1ubuntu1.3) impish-security; urgency=medium
* SECURITY UPDATE: possible XSS via debug template tag
- debian/patches/CVE-2022-22818.patch: properly encode the current
context in django/template/defaulttags.py,
tests/template_tests/syntax_tests/test_debug.py,
tests/template_tests/tests.py.
- CVE-2022-22818
* SECURITY UPDATE: denial-of-service possibility in file uploads
- debian/patches/CVE-2022-23833.patch: fix infinite loop in
django/http/multipartparser.py, tests/file_uploads/tests.py.
- CVE-2022-23833
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:02:39 -0500
-
python-django (2:2.2.24-1ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:15:17 -0500
-
python-django (2:2.2.24-1ubuntu1.1) impish-security; urgency=medium
* SECURITY UPDATE: potential bypass of an upstream access control based on
URL paths
- debian/patches/CVE-2021-44420.patch: fix path match in
django/urls/resolvers.py, tests/urlpatterns/tests.py.
- CVE-2021-44420
-- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:56:31 -0500
-
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <email address hidden> Mon, 04 Oct 2021 10:56:57 -0300
-
python-django (2:2.2.24-1) unstable; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
-- Chris Lamb <email address hidden> Wed, 02 Jun 2021 16:15:13 +0100
-
python-django (2:2.2.23-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/2.2.23/>
-- Chris Lamb <email address hidden> Thu, 13 May 2021 10:41:04 +0100
-
python-django (2:2.2.22-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
-- Chris Lamb <email address hidden> Thu, 06 May 2021 15:52:24 +0100
-
python-django (2:2.2.20-1ubuntu0.1) hirsute-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:36:37 -0400
-
python-django (2:2.2.20-1) unstable; urgency=medium
* New upstream security release:
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
-- Chris Lamb <email address hidden> Tue, 06 Apr 2021 11:44:51 +0100