Change log for python-django package in Ubuntu
1 → 75 of 376 results | First • Previous • Next • Last |
Published in oracular-release |
Published in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
python-django (3:4.2.11-1ubuntu1) noble; urgency=medium * d/p/fix-mail-using-utf-8-surrogateescape.patch: Fix SafeMIMEText.set_payload() crash using python 3.12.3 -- Lena Voytek <email address hidden> Tue, 16 Apr 2024 12:25:28 -0700
Available diffs
python-django (3:4.2.11-1) unstable; urgency=high * New upstream security release: - CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665. <https://docs.djangoproject.com/en/dev/releases/4.2.11/> -- Chris Lamb <email address hidden> Tue, 05 Mar 2024 13:03:35 +0000
Available diffs
- diff from 3:4.2.9-1 to 3:4.2.11-1 (4.7 KiB)
- diff from 3:4.2.10-1 to 3:4.2.11-1 (4.2 KiB)
python-django (2:2.2.12-1ubuntu0.22) focal-security; urgency=medium * SECURITY UPDATE: regular expression denial-of-service - debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in Truncator.words() in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2024-27351 -- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 12:03:03 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.11) jammy-security; urgency=medium * SECURITY UPDATE: regular expression denial-of-service - debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in Truncator.words() in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2024-27351 -- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:53:44 -0500
Available diffs
python-django (3:4.2.4-1ubuntu2.2) mantic-security; urgency=medium * SECURITY UPDATE: regular expression denial-of-service - debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in Truncator.words() in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2024-27351 -- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:51:37 -0500
Available diffs
Superseded in noble-proposed |
python-django (3:4.2.10-1) unstable; urgency=high * New upstream security release: - CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. <https://docs.djangoproject.com/en/dev/releases/4.2.10/> -- Chris Lamb <email address hidden> Tue, 06 Feb 2024 08:15:25 -0800
Available diffs
- diff from 3:4.2.9-1 to 3:4.2.10-1 (2.8 KiB)
python-django (2:2.2.12-1ubuntu0.21) focal-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2024-24680.patch: rewrite regex logic to avoid DoS in django/contrib/humanize/templatetags /humanize.py, tests/humanize_tests/tests.py. - CVE-2024-24680 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 09:27:23 -0300
Available diffs
python-django (3:4.2.4-1ubuntu2.1) mantic-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2024-24680.patch: rewrite regex logic to avoid DoS in django/contrib/humanize/templatetags /humanize.py, tests/humanize_tests/tests.py. - CVE-2024-24680 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 10:38:29 -0300
Available diffs
python-django (2:3.2.12-2ubuntu1.10) jammy-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2024-24680.patch: rewrite regex logic to avoid DoS in django/contrib/humanize/templatetags /humanize.py, tests/humanize_tests/tests.py. - CVE-2024-24680 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 13:25:10 -0300
Available diffs
python-django (3:4.2.9-1) unstable; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/dev/releases/4.2.9/> -- Chris Lamb <email address hidden> Wed, 03 Jan 2024 11:15:04 +0000
Available diffs
- diff from 3:4.2.8-1 to 3:4.2.9-1 (1.1 KiB)
python-django (3:4.2.8-1) unstable; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/5.0/releases/4.2.8/> -- Chris Lamb <email address hidden> Thu, 07 Dec 2023 13:05:03 +0000
Available diffs
Superseded in noble-release |
Published in mantic-release |
Deleted in mantic-proposed (Reason: Moved to mantic) |
python-django (3:4.2.4-1ubuntu2) mantic; urgency=medium * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator - debian/patches/CVE-2023-43665.patch: limit size of input strings in django/utils/text.py, tests/utils_tests/test_text.py, docs/ref/templates/builtins.txt. - CVE-2023-43665 -- Marc Deslauriers <email address hidden> Wed, 04 Oct 2023 13:53:21 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.20) focal-security; urgency=medium * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator - debian/patches/CVE-2023-43665.patch: limit size of input strings in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2023-43665 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:37:46 -0400
python-django (2:3.2.12-2ubuntu1.9) jammy-security; urgency=medium * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator - debian/patches/CVE-2023-43665.patch: limit size of input strings in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2023-43665 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:36:26 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.5) lunar-security; urgency=medium * SECURITY UPDATE: DoS possibility in django.utils.text.Truncator - debian/patches/CVE-2023-43665.patch: limit size of input strings in django/utils/text.py, tests/utils_tests/test_text.py. - CVE-2023-43665 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:00:07 -0400
Available diffs
python-django (3:4.2.4-1ubuntu1) mantic; urgency=medium * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2023-41164.patch: properly handle large number of Unicode characters in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2023-41164 -- Marc Deslauriers <email address hidden> Mon, 18 Sep 2023 14:41:43 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.19) focal-security; urgency=medium * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2023-41164.patch: properly handle large number of Unicode characters in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2023-41164 -- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 09:17:39 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.8) jammy-security; urgency=medium * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2023-41164.patch: properly handle large number of Unicode characters in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2023-41164 -- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:51:14 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.4) lunar-security; urgency=medium * SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri() - debian/patches/CVE-2023-41164.patch: properly handle large number of Unicode characters in django/utils/encoding.py, tests/utils_tests/test_encoding.py. - CVE-2023-41164 -- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 08:39:57 -0400
Available diffs
python-django (3:4.2.4-1) experimental; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/4.2/releases/4.2.4/> -- Chris Lamb <email address hidden> Wed, 02 Aug 2023 07:53:39 +0100
Available diffs
- diff from 3:3.2.20-1.1 to 3:4.2.4-1 (4.3 MiB)
python-django (3:3.2.20-1.1) unstable; urgency=high [ Gianfranco Costamagna ] * Non-maintainer upload. [ Graham Inggs ] * Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155, Closes: #1037920) -- Gianfranco Costamagna <email address hidden> Tue, 04 Jul 2023 09:31:10 +0200
Available diffs
Superseded in mantic-proposed |
python-django (3:3.2.20-1ubuntu1) mantic; urgency=low * Merge from Debian unstable. Remaining changes: - Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155)
Available diffs
Superseded in mantic-proposed |
python-django (3:3.2.20-1) unstable; urgency=high * New upstream security release: - CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator. EmailValidator and URLValidator were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. (Closes: #1040225) -- Chris Lamb <email address hidden> Mon, 03 Jul 2023 20:34:24 +0100
Available diffs
python-django (3:3.2.18-1ubuntu0.3) lunar-security; urgency=medium * SECURITY UPDATE: Potential ReDoS issues - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in EmailValidator and URLValidator in django/core/validators.py, django/forms/fields.py, docs/ref/forms/fields.txt, docs/ref/validators.txt, tests/forms_tests/field_tests/test_emailfield.py, tests/forms_tests/tests/test_forms.py, tests/validators/tests.py. - CVE-2023-36053 * debian/patches/fix-url-validator.patch: Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155) -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:18:49 -0400
Available diffs
python-django (3:3.2.19-1ubuntu3) mantic; urgency=medium * Drop 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489.patch and 16729.patch, it seems these are no longer needed * Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155) -- Graham Inggs <email address hidden> Wed, 28 Jun 2023 11:20:10 +0000
Available diffs
python-django (2:2.2.12-1ubuntu0.18) focal-security; urgency=medium * SECURITY UPDATE: Potential ReDoS issues - debian/patches/CVE-2023-36053-pre1.patch: fix URLValidator hostname length validation in django/core/validators.py, tests/validators/valid_urls.txt. - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in EmailValidator and URLValidator in django/core/validators.py, django/forms/fields.py, tests/forms_tests/field_tests/test_emailfield.py, tests/forms_tests/tests/test_forms.py, tests/validators/tests.py. - CVE-2023-36053 -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:40:09 -0400
Available diffs
python-django (3:3.2.15-1ubuntu1.4) kinetic-security; urgency=medium * SECURITY UPDATE: Potential ReDoS issues - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in EmailValidator and URLValidator in django/core/validators.py, django/forms/fields.py, docs/ref/forms/fields.txt, docs/ref/validators.txt, tests/forms_tests/field_tests/test_emailfield.py, tests/forms_tests/tests/test_forms.py, tests/validators/tests.py. - CVE-2023-36053 -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:23:46 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.7) jammy-security; urgency=medium * SECURITY UPDATE: Potential ReDoS issues - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in EmailValidator and URLValidator in django/core/validators.py, django/forms/fields.py, docs/ref/forms/fields.txt, docs/ref/validators.txt, tests/forms_tests/field_tests/test_emailfield.py, tests/forms_tests/tests/test_forms.py, tests/validators/tests.py. - CVE-2023-36053 -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:24:13 -0400
Available diffs
python-django (3:3.2.19-1ubuntu2) mantic; urgency=medium * Cherry-pick 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489, another Python3.12 retro-compatible change. -- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:22:42 +0200
Available diffs
Superseded in mantic-proposed |
python-django (3:3.2.19-1ubuntu1) mantic; urgency=medium * debian/patches/16729.patch: - cherry-pick and adapt upstream Python3.12 test fix -- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:15:13 +0200
Available diffs
Superseded in mantic-proposed |
python-django (3:3.2.19-1) unstable; urgency=medium * New upstream security release. * CVE-2023-31047: Prevent a potential bypass of validation when uploading multiple files using one form field. Uploading multiple files using one form field has never been supported by forms.FileField or forms.ImageField as only the last uploaded file was validated. Unfortunately, Uploading multiple files topic suggested otherwise. In order to avoid the vulnerability, the ClearableFileInput and FileInput form widgets now raise ValueError when the multiple HTML attribute is set on them. To prevent the exception and keep the old behavior, set the allow_multiple_selected attribute to True. For more details on using the new attribute and handling of multiple files through a single field, see: <https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files> (Closes: #1035467) * Bump Standards-Version to 4.6.2. -- Chris Lamb <email address hidden> Wed, 03 May 2023 09:32:59 -0700
Available diffs
Superseded in mantic-proposed |
python-django (3:3.2.18-1ubuntu1) mantic; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.21) bionic-security; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:05:28 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.6) jammy-security; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:00:52 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.17) focal-security; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:03:19 -0400
Available diffs
python-django (3:3.2.18-1ubuntu0.1) lunar-security; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
Available diffs
python-django (3:3.2.15-1ubuntu1.3) kinetic-security; urgency=medium * SECURITY UPDATE: Potential bypass of validation when uploading multiple files using one form field - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files in django/forms/widgets.py, docs/topics/http/file-uploads.txt, tests/forms_tests/field_tests/test_filefield.py, tests/forms_tests/widget_tests/test_clearablefileinput.py, tests/forms_tests/widget_tests/test_fileinput.py. - CVE-2023-31047 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:58:35 -0400
Available diffs
Superseded in mantic-release |
Published in lunar-release |
Deleted in lunar-proposed (Reason: Moved to lunar) |
python-django (3:3.2.18-1) unstable; urgency=high * New upstream security release: - CVE-2023-24580: Potential denial-of-service vulnerability in file uploads Passing certain inputs to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. The number of files parts parsed is now limited via the new DATA_UPLOAD_MAX_NUMBER_FILES setting. Thanks to Jakob Ackermann for the report. (Closes: #1031290) -- Chris Lamb <email address hidden> Tue, 14 Feb 2023 09:12:57 -0800
Available diffs
- diff from 3:3.2.16-1ubuntu2 (in Ubuntu) to 3:3.2.18-1 (12.2 KiB)
- diff from 3:3.2.17-1 to 3:3.2.18-1 (5.6 KiB)
python-django (1:1.11.11-1ubuntu1.20) bionic-security; urgency=medium * SECURITY UPDATE: Potential denial-of-service in file uploads - debian/patches/CVE-2023-24580.patch: add limits to django/conf/global_settings.py, django/core/exceptions.py, django/core/handlers/exception.py, django/http/multipartparser.py, django/http/request.py, docs/ref/exceptions.txt, docs/ref/settings.txt, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py. - CVE-2023-24580 -- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 10:30:23 -0500
Available diffs
python-django (3:3.2.15-1ubuntu1.2) kinetic-security; urgency=medium * SECURITY UPDATE: Potential denial-of-service in file uploads - debian/patches/CVE-2023-24580.patch: add limits to django/conf/global_settings.py, django/core/exceptions.py, django/core/handlers/exception.py, django/http/multipartparser.py, django/http/request.py, docs/ref/exceptions.txt, docs/ref/settings.txt, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py. - CVE-2023-24580 -- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:53:34 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.5) jammy-security; urgency=medium * SECURITY UPDATE: Potential denial-of-service in file uploads - debian/patches/CVE-2023-24580.patch: add limits to django/conf/global_settings.py, django/core/exceptions.py, django/core/handlers/exception.py, django/http/multipartparser.py, django/http/request.py, docs/ref/exceptions.txt, docs/ref/settings.txt, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py. - CVE-2023-24580 -- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:56:44 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.16) focal-security; urgency=medium * SECURITY UPDATE: Potential denial-of-service in file uploads - debian/patches/CVE-2023-24580.patch: add limits to django/conf/global_settings.py, django/core/exceptions.py, django/core/handlers/exception.py, django/http/multipartparser.py, django/http/request.py, docs/ref/exceptions.txt, docs/ref/settings.txt, tests/handlers/test_exception.py, tests/requests/test_data_upload_settings.py. - CVE-2023-24580 -- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:58:48 -0500
Available diffs
Superseded in lunar-proposed |
python-django (3:3.2.17-1) unstable; urgency=medium * New security upstream release. <https://www.djangoproject.com/weblog/2023/feb/01/security-releases/> - CVE-2023-23969: Potential denial-of-service via Accept-Language headers The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if large header values are sent. In order to avoid this vulnerability, the Accept-Language header is now parsed up to a maximum length. (Closes: #1030251) * Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch; applied upstream. * Refresh all patches. -- Chris Lamb <email address hidden> Wed, 01 Feb 2023 08:01:01 -0800
Available diffs
python-django (3:3.2.16-1ubuntu2) lunar; urgency=medium * SECURITY UPDATE: Potential DoS via Accept-Language headers - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language headers in django/utils/translation/trans_real.py, tests/i18n/tests.py. - CVE-2023-23969 -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2023 09:35:23 -0500
Available diffs
python-django (1:1.11.11-1ubuntu1.19) bionic-security; urgency=medium * SECURITY UPDATE: Potential DoS via Accept-Language headers - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language headers in django/utils/translation/trans_real.py, tests/i18n/tests.py. - CVE-2023-23969 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:45:22 -0500
Available diffs
python-django (2:3.2.12-2ubuntu1.4) jammy-security; urgency=medium * SECURITY UPDATE: Potential DoS via Accept-Language headers - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language headers in django/utils/translation/trans_real.py, tests/i18n/tests.py. - CVE-2023-23969 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:37:50 -0500
Available diffs
python-django (3:3.2.15-1ubuntu1.1) kinetic-security; urgency=medium * SECURITY UPDATE: Potential DoS via Accept-Language headers - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language headers in django/utils/translation/trans_real.py, tests/i18n/tests.py. - CVE-2023-23969 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:35:46 -0500
Available diffs
python-django (2:2.2.12-1ubuntu0.15) focal-security; urgency=medium * SECURITY UPDATE: Potential DoS via Accept-Language headers - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language headers in django/utils/translation/trans_real.py, tests/i18n/tests.py. - CVE-2023-23969 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:38:45 -0500
Available diffs
python-django (3:3.2.16-1ubuntu1) lunar; urgency=medium * d/p/0012-Add-Python-3.11-support-for-tests.patch: Make unit tests compatible with Python 3.11 to fix build errors (LP: #2002012) -- Lena Voytek <email address hidden> Fri, 06 Jan 2023 11:02:03 -0700
Available diffs
Superseded in lunar-release |
Obsolete in kinetic-release |
Deleted in kinetic-proposed (Reason: Moved to kinetic) |
python-django (3:3.2.15-1ubuntu1) kinetic; urgency=medium * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs - debian/patches/CVE-2022-41323.patch: Prevented locales being interpreted as regular expressions in django/urls/resolvers.py, tests/i18n/patterns/tests.py. - CVE-2022-41323 -- Marc Deslauriers <email address hidden> Wed, 05 Oct 2022 08:08:25 -0400
Available diffs
Superseded in lunar-proposed |
python-django (3:3.2.16-1) unstable; urgency=high * New upstream security release. <https://www.djangoproject.com/weblog/2022/oct/04/security-releases/> - CVE-2022-41323: Prevent a potential denial-of-service vulnerability in internationalized URLs. Internationalised URLs were subject to potential denial of service attack via the locale parameter. This is now escaped to avoid this possibility. -- Chris Lamb <email address hidden> Tue, 04 Oct 2022 07:51:21 -0700
python-django (2:2.2.12-1ubuntu0.14) focal-security; urgency=medium * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs - debian/patches/CVE-2022-41323.patch: Prevented locales being interpreted as regular expressions in django/urls/resolvers.py, tests/i18n/patterns/tests.py. - CVE-2022-41323 -- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:37:54 -0400
Available diffs
python-django (2:3.2.12-2ubuntu1.3) jammy-security; urgency=medium * SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs - debian/patches/CVE-2022-41323.patch: Prevented locales being interpreted as regular expressions in django/urls/resolvers.py, tests/i18n/patterns/tests.py. - CVE-2022-41323 -- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:35:14 -0400
Available diffs
python-django (3:3.2.15-1) unstable; urgency=high * New upstream security release. - CVE-2022-36359: Potential reflected file download vulnerability in FileResponse. An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename was derived from user-supplied input. The filename is now escaped to avoid this possibility. <https://www.djangoproject.com/weblog/2022/aug/03/security-releases/> -- Chris Lamb <email address hidden> Wed, 03 Aug 2022 07:11:45 -0700
Available diffs
- diff from 2:3.2.13-1 to 3:3.2.15-1 (16.5 KiB)
- diff from 3:3.2.14-1 to 3:3.2.15-1 (4.1 KiB)
Superseded in kinetic-proposed |
python-django (3:3.2.14-1) unstable; urgency=medium * Revert Debian unstable to 3.2.x LTS release stream, bumping epoch. (Closes: #1016090) * Refresh patches. * Bump Standards-Version to 4.6.1. -- Chris Lamb <email address hidden> Tue, 02 Aug 2022 09:02:41 -0700
Available diffs
- diff from 2:4.0.6-1 to 3:3.2.14-1 (3.3 MiB)
python-django (2:3.2.12-2ubuntu1.2) jammy-security; urgency=medium * SECURITY UPDATE: Potential reflected file download - debian/patches/CVE-2022-36359.patch: escaped filename in Content-Disposition header in django/http/response.py, tests/responses/test_fileresponse.py. - CVE-2022-36359 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:12:17 -0300
Available diffs
python-django (2:2.2.12-1ubuntu0.13) focal-security; urgency=medium * SECURITY UPDATE: Potential reflected file download - debian/patches/CVE-2022-36359.patch: escaped filename in Content-Disposition header in django/http/response.py, tests/responses/test_fileresponse.py. - CVE-2022-36359 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:31:16 -0300
Available diffs
python-django (2:4.0.6-1) unstable; urgency=high * New upstream security release: - CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. "Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected." "This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it's final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience." <https://www.djangoproject.com/weblog/2022/jul/04/security-releases/> * Refresh patches. -- Chris Lamb <email address hidden> Tue, 05 Jul 2022 12:38:15 +0100
Available diffs
- diff from 2:4.0.5-2 to 2:4.0.6-1 (21.6 KiB)
python-django (1:1.11.11-1ubuntu1.18) bionic-security; urgency=medium * SECURITY UPDATE: Potential SQL invjection - debian/patches/CVE-2022-34265.patch: protected trunc/extract against SQL injection in django/db/backends/base/operations.py, django/db/models/functions/datetime.py. - CVE-2022-34265 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 15:19:32 -0300
Available diffs
python-django (2:2.2.12-1ubuntu0.12) focal-security; urgency=medium * SECURITY UPDATE: Potential SQL invjection - debian/patches/CVE-2022-34265.patch: protected trunc/extract against SQL injection in django/db/backends/base/operations.py, django/db/models/functions/datetime.py. - CVE-2022-34265 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 13:44:58 -0300
Available diffs
python-django (2:3.2.12-2ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: Potential SQL invjection - debian/patches/CVE-2022-34265.patch: protected trunc/extract against SQL injection in django/db/backends/base/operations.py, django/db/models/functions/datetime.py. - CVE-2022-34265 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:29:53 -0300
Available diffs
python-django (2:2.2.24-1ubuntu1.5) impish-security; urgency=medium * SECURITY UPDATE: Potential SQL invjection - debian/patches/CVE-2022-34265.patch: protected trunc/extract against SQL injection in django/db/backends/base/operations.py, django/db/models/functions/datetime.py. - CVE-2022-34265 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 09:49:47 -0300
Available diffs
python-django (2:4.0.5-2) unstable; urgency=medium [ Lena Voytek ] * Add updated version of SQLite 3.37+ / test_custom_fields patch. (Closes: #1012784) [ Chris Lamb ] * Add debian/gitlab-ci.yml. - Allow some elements of the pipeline to fail. -- Chris Lamb <email address hidden> Thu, 16 Jun 2022 08:00:35 +0100
Available diffs
- diff from 2:4.0.5-1 to 2:4.0.5-2 (1.2 KiB)
python-django (2:4.0.5-1) unstable; urgency=medium * Upload 4.x stable release stream to unstable using the 4.0.5 bugfix release. (The 4.x stream has been in experimental since September 2021.) * Update debian/gbp.conf and debian/watch to match new version series. * Update patches. * No need to delete django-admin.py script anymore; does not exist in 4.x. -- Chris Lamb <email address hidden> Mon, 06 Jun 2022 12:31:50 +0100
Available diffs
- diff from 2:3.2.13-1 to 2:4.0.5-1 (3.3 MiB)
python-django (2:3.2.13-1) unstable; urgency=high * New upstream security release: - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra(). QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL. QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument. See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/> for more info. -- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200
Available diffs
Superseded in kinetic-release |
Published in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column aliases in django/db/models/sql/query.py, tests/aggregation/tests.py, tests/annotations/tests.py, tests/queries/tests.py, tests/expressions/test_queryset_values.py. - CVE-2022-28346 * SECURITY UPDATE: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL - debian/patches/CVE-2022-28347.patch: prevent SQL injection in django/db/backends/postgresql/features.py, django/db/backends/postgresql/operations.py, django/db/models/sql/query.py, tests/queries/test_explain.py. - CVE-2022-28347 -- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400
Available diffs
python-django (2:2.2.12-1ubuntu0.11) focal-security; urgency=medium * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column aliases in django/db/models/sql/query.py, tests/aggregation/tests.py, tests/annotations/tests.py, tests/queries/tests.py, tests/expressions/test_queryset_values.py. - CVE-2022-28346 * SECURITY UPDATE: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL - debian/patches/CVE-2022-28347.patch: prevent SQL injection in django/db/backends/postgresql/features.py, django/db/backends/postgresql/operations.py, django/db/models/sql/query.py, tests/queries/test_explain.py. - CVE-2022-28347 -- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:32:17 -0400
Available diffs
python-django (2:2.2.24-1ubuntu1.4) impish-security; urgency=medium * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column aliases in django/db/models/sql/query.py, tests/aggregation/tests.py, tests/annotations/tests.py, tests/queries/tests.py, tests/expressions/test_queryset_values.py. - CVE-2022-28346 * SECURITY UPDATE: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL - debian/patches/CVE-2022-28347.patch: prevent SQL injection in django/db/backends/postgresql/features.py, django/db/backends/postgresql/operations.py, django/db/models/sql/query.py, tests/queries/test_explain.py. - CVE-2022-28347 -- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:28:21 -0400
Available diffs
python-django (1:1.11.11-1ubuntu1.17) bionic-security; urgency=medium * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column aliases in django/db/models/sql/query.py, tests/aggregation/tests.py, tests/annotations/tests.py, tests/queries/tests.py, tests/expressions/test_queryset_values.py. - CVE-2022-28346 * SECURITY UPDATE: header injection in URLValidator with Python security update - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from being accepted in URLValidator in django/core/validators.py, tests/validators/tests.py. - CVE-2021-32052 -- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:40:49 -0400
python-django (2:3.2.12-2) unstable; urgency=medium * Fix a traceback around the handling of RequestSite/get_current_site() due to a circular import by backporting commit 78163d1a from upstream. Thanks to Raphaƫl Hertzog for the report. (Closes: #1003478) -- Chris Lamb <email address hidden> Tue, 22 Feb 2022 09:43:02 +0000
Available diffs
python-django (1:1.11.11-1ubuntu1.16) bionic-security; urgency=medium * SECURITY UPDATE: possible XSS via debug template tag - debian/patches/CVE-2022-22818.patch: properly encode the current context in django/template/defaulttags.py, tests/template_tests/syntax_tests/test_debug.py, tests/template_tests/tests.py. - CVE-2022-22818 * SECURITY UPDATE: denial-of-service possibility in file uploads - debian/patches/CVE-2022-23833.patch: fix infinite loop in django/http/multipartparser.py, tests/file_uploads/tests.py. - CVE-2022-23833 -- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:08:56 -0500
Available diffs
Superseded in jammy-proposed |
python-django (2:3.2.12-1) unstable; urgency=high * New upstream security release: - CVE-2022-22818: Possible XSS via {% debug %} template tag. The {% debug %} template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True. - CVE-2022-23833: Denial-of-service possibility in file uploads. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/> for more information. (Closes: #1004752) -- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:28:58 -0800
Available diffs
- diff from 2:3.2.11-2 to 2:3.2.12-1 (5.5 KiB)
python-django (2:2.2.12-1ubuntu0.10) focal-security; urgency=medium * SECURITY UPDATE: possible XSS via debug template tag - debian/patches/CVE-2022-22818.patch: properly encode the current context in django/template/defaulttags.py, tests/template_tests/syntax_tests/test_debug.py, tests/template_tests/tests.py. - CVE-2022-22818 * SECURITY UPDATE: denial-of-service possibility in file uploads - debian/patches/CVE-2022-23833.patch: fix infinite loop in django/http/multipartparser.py, tests/file_uploads/tests.py. - CVE-2022-23833 -- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:06:20 -0500
Available diffs
python-django (2:2.2.24-1ubuntu1.3) impish-security; urgency=medium * SECURITY UPDATE: possible XSS via debug template tag - debian/patches/CVE-2022-22818.patch: properly encode the current context in django/template/defaulttags.py, tests/template_tests/syntax_tests/test_debug.py, tests/template_tests/tests.py. - CVE-2022-22818 * SECURITY UPDATE: denial-of-service possibility in file uploads - debian/patches/CVE-2022-23833.patch: fix infinite loop in django/http/multipartparser.py, tests/file_uploads/tests.py. - CVE-2022-23833 -- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:02:39 -0500
Available diffs
Superseded in jammy-proposed |
python-django (2:3.2.11-2) unstable; urgency=medium [ Chris Lamb ] * Fix compatibility with SQLite 3.37+. (Closes: #1004464) [ Salman Mohammadi] * Drop references to the deprecated python3-memcache package. -- Chris Lamb <email address hidden> Fri, 28 Jan 2022 08:52:06 -0800
Available diffs
- diff from 2:3.2.11-1 to 2:3.2.11-2 (1.5 KiB)
1 → 75 of 376 results | First • Previous • Next • Last |