Change log for python-django package in Ubuntu
| 1 → 75 of 376 results | First • Previous • Next • Last |
| Published in oracular-release |
| Published in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
python-django (3:4.2.11-1ubuntu1) noble; urgency=medium
* d/p/fix-mail-using-utf-8-surrogateescape.patch: Fix
SafeMIMEText.set_payload() crash using python 3.12.3
-- Lena Voytek <email address hidden> Tue, 16 Apr 2024 12:25:28 -0700
Available diffs
python-django (3:4.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
<https://docs.djangoproject.com/en/dev/releases/4.2.11/>
-- Chris Lamb <email address hidden> Tue, 05 Mar 2024 13:03:35 +0000
Available diffs
- diff from 3:4.2.9-1 to 3:4.2.11-1 (4.7 KiB)
- diff from 3:4.2.10-1 to 3:4.2.11-1 (4.2 KiB)
python-django (2:2.2.12-1ubuntu0.22) focal-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 12:03:03 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.11) jammy-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:53:44 -0500
Available diffs
python-django (3:4.2.4-1ubuntu2.2) mantic-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:51:37 -0500
Available diffs
| Superseded in noble-proposed |
python-django (3:4.2.10-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
<https://docs.djangoproject.com/en/dev/releases/4.2.10/>
-- Chris Lamb <email address hidden> Tue, 06 Feb 2024 08:15:25 -0800
Available diffs
- diff from 3:4.2.9-1 to 3:4.2.10-1 (2.8 KiB)
python-django (2:2.2.12-1ubuntu0.21) focal-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 09:27:23 -0300
Available diffs
python-django (3:4.2.4-1ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 10:38:29 -0300
Available diffs
python-django (2:3.2.12-2ubuntu1.10) jammy-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 13:25:10 -0300
Available diffs
python-django (3:4.2.9-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/dev/releases/4.2.9/>
-- Chris Lamb <email address hidden> Wed, 03 Jan 2024 11:15:04 +0000
Available diffs
- diff from 3:4.2.8-1 to 3:4.2.9-1 (1.1 KiB)
python-django (3:4.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/5.0/releases/4.2.8/>
-- Chris Lamb <email address hidden> Thu, 07 Dec 2023 13:05:03 +0000
Available diffs
| Superseded in noble-release |
| Published in mantic-release |
| Deleted in mantic-proposed (Reason: Moved to mantic) |
python-django (3:4.2.4-1ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py,
docs/ref/templates/builtins.txt.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2023 13:53:21 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.20) focal-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:37:46 -0400
python-django (2:3.2.12-2ubuntu1.9) jammy-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:36:26 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.5) lunar-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:00:07 -0400
Available diffs
python-django (3:4.2.4-1ubuntu1) mantic; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2023 14:41:43 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.19) focal-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 09:17:39 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.8) jammy-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:51:14 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.4) lunar-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:39:57 -0400
Available diffs
python-django (3:4.2.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/4.2/releases/4.2.4/>
-- Chris Lamb <email address hidden> Wed, 02 Aug 2023 07:53:39 +0100
Available diffs
- diff from 3:3.2.20-1.1 to 3:4.2.4-1 (4.3 MiB)
python-django (3:3.2.20-1.1) unstable; urgency=high
[ Gianfranco Costamagna ]
* Non-maintainer upload.
[ Graham Inggs ]
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155, Closes: #1037920)
-- Gianfranco Costamagna <email address hidden> Tue, 04 Jul 2023 09:31:10 +0200
Available diffs
| Superseded in mantic-proposed |
python-django (3:3.2.20-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155)
Available diffs
| Superseded in mantic-proposed |
python-django (3:3.2.20-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain
name labels of emails and URLs. (Closes: #1040225)
-- Chris Lamb <email address hidden> Mon, 03 Jul 2023 20:34:24 +0100
Available diffs
python-django (3:3.2.18-1ubuntu0.3) lunar-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
* debian/patches/fix-url-validator.patch: Cherry-pick upstream commit to
fix URLValidator crash in some edge cases (LP: #2025155)
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:18:49 -0400
Available diffs
python-django (3:3.2.19-1ubuntu3) mantic; urgency=medium
* Drop 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489.patch and
16729.patch, it seems these are no longer needed
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155)
-- Graham Inggs <email address hidden> Wed, 28 Jun 2023 11:20:10 +0000
Available diffs
python-django (2:2.2.12-1ubuntu0.18) focal-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053-pre1.patch: fix URLValidator hostname
length validation in django/core/validators.py,
tests/validators/valid_urls.txt.
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:40:09 -0400
Available diffs
python-django (3:3.2.15-1ubuntu1.4) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:23:46 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.7) jammy-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py, docs/ref/forms/fields.txt,
docs/ref/validators.txt,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:24:13 -0400
Available diffs
python-django (3:3.2.19-1ubuntu2) mantic; urgency=medium
* Cherry-pick 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489,
another Python3.12 retro-compatible change.
-- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:22:42 +0200
Available diffs
| Superseded in mantic-proposed |
python-django (3:3.2.19-1ubuntu1) mantic; urgency=medium
* debian/patches/16729.patch:
- cherry-pick and adapt upstream Python3.12 test fix
-- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:15:13 +0200
Available diffs
| Superseded in mantic-proposed |
python-django (3:3.2.19-1) unstable; urgency=medium
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
For more details on using the new attribute and handling of multiple files
through a single field, see:
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
(Closes: #1035467)
* Bump Standards-Version to 4.6.2.
-- Chris Lamb <email address hidden> Wed, 03 May 2023 09:32:59 -0700
Available diffs
| Superseded in mantic-proposed |
python-django (3:3.2.18-1ubuntu1) mantic; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.21) bionic-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:05:28 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.6) jammy-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:00:52 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.17) focal-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:03:19 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.1) lunar-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
Available diffs
python-django (3:3.2.15-1ubuntu1.3) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:58:35 -0400
Available diffs
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
python-django (3:3.2.18-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
Passing certain inputs to multipart forms could result in too many open
files or memory exhaustion, and provided a potential vector for a
denial-of-service attack.
The number of files parts parsed is now limited via the new
DATA_UPLOAD_MAX_NUMBER_FILES setting.
Thanks to Jakob Ackermann for the report. (Closes: #1031290)
-- Chris Lamb <email address hidden> Tue, 14 Feb 2023 09:12:57 -0800
Available diffs
- diff from 3:3.2.16-1ubuntu2 (in Ubuntu) to 3:3.2.18-1 (12.2 KiB)
- diff from 3:3.2.17-1 to 3:3.2.18-1 (5.6 KiB)
python-django (1:1.11.11-1ubuntu1.20) bionic-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 10:30:23 -0500
Available diffs
python-django (3:3.2.15-1ubuntu1.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:53:34 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.5) jammy-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:56:44 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.16) focal-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:58:48 -0500
Available diffs
| Superseded in lunar-proposed |
python-django (3:3.2.17-1) unstable; urgency=medium
* New security upstream release.
<https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>
- CVE-2023-23969: Potential denial-of-service via Accept-Language headers
The parsed values of Accept-Language headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector
via excessive memory usage if large header values are sent.
In order to avoid this vulnerability, the Accept-Language header is now
parsed up to a maximum length. (Closes: #1030251)
* Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch;
applied upstream.
* Refresh all patches.
-- Chris Lamb <email address hidden> Wed, 01 Feb 2023 08:01:01 -0800
Available diffs
python-django (3:3.2.16-1ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Wed, 01 Feb 2023 09:35:23 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.19) bionic-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:45:22 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.4) jammy-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:37:50 -0500
Available diffs
python-django (3:3.2.15-1ubuntu1.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:35:46 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.15) focal-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:38:45 -0500
Available diffs
python-django (3:3.2.16-1ubuntu1) lunar; urgency=medium
* d/p/0012-Add-Python-3.11-support-for-tests.patch: Make unit tests
compatible with Python 3.11 to fix build errors (LP: #2002012)
-- Lena Voytek <email address hidden> Fri, 06 Jan 2023 11:02:03 -0700
Available diffs
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
python-django (3:3.2.15-1ubuntu1) kinetic; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Wed, 05 Oct 2022 08:08:25 -0400
Available diffs
| Superseded in lunar-proposed |
python-django (3:3.2.16-1) unstable; urgency=high
* New upstream security release.
<https://www.djangoproject.com/weblog/2022/oct/04/security-releases/>
- CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
internationalized URLs. Internationalised URLs were subject to potential
denial of service attack via the locale parameter. This is now escaped to
avoid this possibility.
-- Chris Lamb <email address hidden> Tue, 04 Oct 2022 07:51:21 -0700
python-django (2:2.2.12-1ubuntu0.14) focal-security; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:37:54 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:35:14 -0400
Available diffs
python-django (3:3.2.15-1) unstable; urgency=high
* New upstream security release.
- CVE-2022-36359: Potential reflected file download vulnerability in
FileResponse. An application may have been vulnerable to a reflected file
download (RFD) attack that sets the Content-Disposition header of a
FileResponse when the filename was derived from user-supplied input. The
filename is now escaped to avoid this possibility.
<https://www.djangoproject.com/weblog/2022/aug/03/security-releases/>
-- Chris Lamb <email address hidden> Wed, 03 Aug 2022 07:11:45 -0700
Available diffs
- diff from 2:3.2.13-1 to 3:3.2.15-1 (16.5 KiB)
- diff from 3:3.2.14-1 to 3:3.2.15-1 (4.1 KiB)
| Superseded in kinetic-proposed |
python-django (3:3.2.14-1) unstable; urgency=medium
* Revert Debian unstable to 3.2.x LTS release stream, bumping epoch.
(Closes: #1016090)
* Refresh patches.
* Bump Standards-Version to 4.6.1.
-- Chris Lamb <email address hidden> Tue, 02 Aug 2022 09:02:41 -0700
Available diffs
- diff from 2:4.0.6-1 to 3:3.2.14-1 (3.3 MiB)
python-django (2:3.2.12-2ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Potential reflected file download
- debian/patches/CVE-2022-36359.patch: escaped filename in
Content-Disposition header in django/http/response.py,
tests/responses/test_fileresponse.py.
- CVE-2022-36359
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:12:17 -0300
Available diffs
python-django (2:2.2.12-1ubuntu0.13) focal-security; urgency=medium
* SECURITY UPDATE: Potential reflected file download
- debian/patches/CVE-2022-36359.patch: escaped filename in
Content-Disposition header in django/http/response.py,
tests/responses/test_fileresponse.py.
- CVE-2022-36359
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:31:16 -0300
Available diffs
python-django (2:4.0.6-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments.
"Trunc() and Extract() database functions were subject to SQL injection if
untrusted data was used as a kind/lookup_name value. Applications that
constrain the lookup name and kind choice to a known safe list are
unaffected."
"This security release mitigates the issue, but we have identified
improvements to the Database API methods related to date extract and
truncate that would be beneficial to add to Django 4.1 before it's final
release. This will impact 3rd party database backends using Django 4.1
release candidate 1 or newer, until they are able to update to the API
changes. We apologize for the inconvenience."
<https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>
* Refresh patches.
-- Chris Lamb <email address hidden> Tue, 05 Jul 2022 12:38:15 +0100
Available diffs
- diff from 2:4.0.5-2 to 2:4.0.6-1 (21.6 KiB)
python-django (1:1.11.11-1ubuntu1.18) bionic-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 15:19:32 -0300
Available diffs
python-django (2:2.2.12-1ubuntu0.12) focal-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 13:44:58 -0300
Available diffs
python-django (2:3.2.12-2ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:29:53 -0300
Available diffs
python-django (2:2.2.24-1ubuntu1.5) impish-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:49:47 -0300
Available diffs
python-django (2:4.0.5-2) unstable; urgency=medium
[ Lena Voytek ]
* Add updated version of SQLite 3.37+ / test_custom_fields patch.
(Closes: #1012784)
[ Chris Lamb ]
* Add debian/gitlab-ci.yml.
- Allow some elements of the pipeline to fail.
-- Chris Lamb <email address hidden> Thu, 16 Jun 2022 08:00:35 +0100
Available diffs
- diff from 2:4.0.5-1 to 2:4.0.5-2 (1.2 KiB)
python-django (2:4.0.5-1) unstable; urgency=medium
* Upload 4.x stable release stream to unstable using the 4.0.5 bugfix
release. (The 4.x stream has been in experimental since September 2021.)
* Update debian/gbp.conf and debian/watch to match new version series.
* Update patches.
* No need to delete django-admin.py script anymore; does not exist in 4.x.
-- Chris Lamb <email address hidden> Mon, 06 Jun 2022 12:31:50 +0100
Available diffs
- diff from 2:3.2.13-1 to 2:4.0.5-1 (3.3 MiB)
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra().
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
on PostgreSQL.
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
for more info.
-- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.11) focal-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:32:17 -0400
Available diffs
python-django (2:2.2.24-1ubuntu1.4) impish-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:28:21 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.17) bionic-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: header injection in URLValidator with Python security
update
- debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
being accepted in URLValidator in django/core/validators.py,
tests/validators/tests.py.
- CVE-2021-32052
-- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:40:49 -0400
python-django (2:3.2.12-2) unstable; urgency=medium
* Fix a traceback around the handling of RequestSite/get_current_site() due
to a circular import by backporting commit 78163d1a from upstream. Thanks
to Raphaƫl Hertzog for the report. (Closes: #1003478)
-- Chris Lamb <email address hidden> Tue, 22 Feb 2022 09:43:02 +0000
Available diffs
python-django (1:1.11.11-1ubuntu1.16) bionic-security; urgency=medium
* SECURITY UPDATE: possible XSS via debug template tag
- debian/patches/CVE-2022-22818.patch: properly encode the current
context in django/template/defaulttags.py,
tests/template_tests/syntax_tests/test_debug.py,
tests/template_tests/tests.py.
- CVE-2022-22818
* SECURITY UPDATE: denial-of-service possibility in file uploads
- debian/patches/CVE-2022-23833.patch: fix infinite loop in
django/http/multipartparser.py, tests/file_uploads/tests.py.
- CVE-2022-23833
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:08:56 -0500
Available diffs
| Superseded in jammy-proposed |
python-django (2:3.2.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
-- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:28:58 -0800
Available diffs
- diff from 2:3.2.11-2 to 2:3.2.12-1 (5.5 KiB)
python-django (2:2.2.12-1ubuntu0.10) focal-security; urgency=medium
* SECURITY UPDATE: possible XSS via debug template tag
- debian/patches/CVE-2022-22818.patch: properly encode the current
context in django/template/defaulttags.py,
tests/template_tests/syntax_tests/test_debug.py,
tests/template_tests/tests.py.
- CVE-2022-22818
* SECURITY UPDATE: denial-of-service possibility in file uploads
- debian/patches/CVE-2022-23833.patch: fix infinite loop in
django/http/multipartparser.py, tests/file_uploads/tests.py.
- CVE-2022-23833
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:06:20 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.3) impish-security; urgency=medium
* SECURITY UPDATE: possible XSS via debug template tag
- debian/patches/CVE-2022-22818.patch: properly encode the current
context in django/template/defaulttags.py,
tests/template_tests/syntax_tests/test_debug.py,
tests/template_tests/tests.py.
- CVE-2022-22818
* SECURITY UPDATE: denial-of-service possibility in file uploads
- debian/patches/CVE-2022-23833.patch: fix infinite loop in
django/http/multipartparser.py, tests/file_uploads/tests.py.
- CVE-2022-23833
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:02:39 -0500
Available diffs
| Superseded in jammy-proposed |
python-django (2:3.2.11-2) unstable; urgency=medium [ Chris Lamb ] * Fix compatibility with SQLite 3.37+. (Closes: #1004464) [ Salman Mohammadi] * Drop references to the deprecated python3-memcache package. -- Chris Lamb <email address hidden> Fri, 28 Jan 2022 08:52:06 -0800
Available diffs
- diff from 2:3.2.11-1 to 2:3.2.11-2 (1.5 KiB)
| 1 → 75 of 376 results | First • Previous • Next • Last |
