python-django 2:4.0.6-1 source package in Ubuntu

Changelog

python-django (2:4.0.6-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2022-34265: Potential SQL injection via Trunc(kind) and
      Extract(lookup_name) arguments.

      "Trunc() and Extract() database functions were subject to SQL injection if
      untrusted data was used as a kind/lookup_name value. Applications that
      constrain the lookup name and kind choice to a known safe list are
      unaffected."

      "This security release mitigates the issue, but we have identified
      improvements to the Database API methods related to date extract and
      truncate that would be beneficial to add to Django 4.1 before it's final
      release. This will impact 3rd party database backends using Django 4.1
      release candidate 1 or newer, until they are able to update to the API
      changes. We apologize for the inconvenience."

      <https://www.djangoproject.com/weblog/2022/jul/04/security-releases/>

  * Refresh patches.

 -- Chris Lamb <email address hidden>  Tue, 05 Jul 2022 12:38:15 +0100