-
python-django (2:2.2.12-1ubuntu0.22) focal-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 12:03:03 -0500
-
python-django (2:2.2.12-1ubuntu0.21) focal-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 09:27:23 -0300
-
python-django (2:2.2.12-1ubuntu0.20) focal-security; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2023 13:37:46 -0400
-
python-django (2:2.2.12-1ubuntu0.19) focal-security; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2023 09:17:39 -0400
-
python-django (2:2.2.12-1ubuntu0.18) focal-security; urgency=medium
* SECURITY UPDATE: Potential ReDoS issues
- debian/patches/CVE-2023-36053-pre1.patch: fix URLValidator hostname
length validation in django/core/validators.py,
tests/validators/valid_urls.txt.
- debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
EmailValidator and URLValidator in django/core/validators.py,
django/forms/fields.py,
tests/forms_tests/field_tests/test_emailfield.py,
tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
- CVE-2023-36053
-- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:40:09 -0400
-
python-django (2:2.2.12-1ubuntu0.17) focal-security; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:03:19 -0400
-
python-django (2:2.2.12-1ubuntu0.16) focal-security; urgency=medium
* SECURITY UPDATE: Potential denial-of-service in file uploads
- debian/patches/CVE-2023-24580.patch: add limits to
django/conf/global_settings.py, django/core/exceptions.py,
django/core/handlers/exception.py, django/http/multipartparser.py,
django/http/request.py, docs/ref/exceptions.txt,
docs/ref/settings.txt, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py.
- CVE-2023-24580
-- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 08:58:48 -0500
-
python-django (2:2.2.12-1ubuntu0.15) focal-security; urgency=medium
* SECURITY UPDATE: Potential DoS via Accept-Language headers
- debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
headers in django/utils/translation/trans_real.py,
tests/i18n/tests.py.
- CVE-2023-23969
-- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:38:45 -0500
-
python-django (2:2.2.12-1ubuntu0.14) focal-security; urgency=medium
* SECURITY UPDATE: Potential DoS vulnerability in internationalized URLs
- debian/patches/CVE-2022-41323.patch: Prevented locales being
interpreted as regular expressions in django/urls/resolvers.py,
tests/i18n/patterns/tests.py.
- CVE-2022-41323
-- Marc Deslauriers <email address hidden> Tue, 27 Sep 2022 09:37:54 -0400
-
python-django (2:2.2.12-1ubuntu0.13) focal-security; urgency=medium
* SECURITY UPDATE: Potential reflected file download
- debian/patches/CVE-2022-36359.patch: escaped filename in
Content-Disposition header in django/http/response.py,
tests/responses/test_fileresponse.py.
- CVE-2022-36359
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jul 2022 11:31:16 -0300
-
python-django (2:2.2.12-1ubuntu0.12) focal-security; urgency=medium
* SECURITY UPDATE: Potential SQL invjection
- debian/patches/CVE-2022-34265.patch: protected
trunc/extract against SQL injection in
django/db/backends/base/operations.py,
django/db/models/functions/datetime.py.
- CVE-2022-34265
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 13:44:58 -0300
-
python-django (2:2.2.12-1ubuntu0.11) focal-security; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra()
- debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
tests/annotations/tests.py, tests/queries/tests.py,
tests/expressions/test_queryset_values.py.
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.explain(**options) on PostgreSQL
- debian/patches/CVE-2022-28347.patch: prevent SQL injection in
django/db/backends/postgresql/features.py,
django/db/backends/postgresql/operations.py,
django/db/models/sql/query.py, tests/queries/test_explain.py.
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:32:17 -0400
-
python-django (2:2.2.12-1ubuntu0.10) focal-security; urgency=medium
* SECURITY UPDATE: possible XSS via debug template tag
- debian/patches/CVE-2022-22818.patch: properly encode the current
context in django/template/defaulttags.py,
tests/template_tests/syntax_tests/test_debug.py,
tests/template_tests/tests.py.
- CVE-2022-22818
* SECURITY UPDATE: denial-of-service possibility in file uploads
- debian/patches/CVE-2022-23833.patch: fix infinite loop in
django/http/multipartparser.py, tests/file_uploads/tests.py.
- CVE-2022-23833
-- Marc Deslauriers <email address hidden> Tue, 01 Feb 2022 10:06:20 -0500
-
python-django (2:2.2.12-1ubuntu0.9) focal-security; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
UserAtributeSimilarityValidator
- debian/patches/CVE-2021-45115.patch: prevent DoS in
django/contrib/auth/password_validation.py,
docs/topics/auth/passwords.txt, tests/auth_tests/test_validators.py.
- CVE-2021-45115
* SECURITY UPDATE: Potential information disclosure in dictsort template
filter
- debian/patches/CVE-2021-45116.patch: properly handle private
variables in django/template/defaultfilters.py,
docs/ref/templates/builtins.txt,
tests/template_tests/filter_tests/test_dictsort.py,
tests/template_tests/filter_tests/test_dictsortreversed.py.
- CVE-2021-45116
* SECURITY UPDATE: Potential directory-traversal via Storage.save()
- debian/patches/CVE-2021-31542-2.patch: fix regression caused by fix
for CVE-2021-31542, and add allow_relative_path parameter to
validate_file_name(), required by the following patch.
- debian/patches/CVE-2021-45452.patch: fix path traversal in
django/core/files/storage.py,
tests/file_storage/test_generate_filename.py,
tests/file_storage/tests.py.
- CVE-2021-45452
-- Marc Deslauriers <email address hidden> Tue, 04 Jan 2022 07:29:49 -0500
-
python-django (2:2.2.12-1ubuntu0.8) focal-security; urgency=medium
* SECURITY UPDATE: potential bypass of an upstream access control based on
URL paths
- debian/patches/CVE-2021-44420.patch: fix path match in
django/urls/resolvers.py, tests/urlpatterns/tests.py.
- CVE-2021-44420
-- Marc Deslauriers <email address hidden> Tue, 30 Nov 2021 06:58:59 -0500
-
python-django (2:2.2.12-1ubuntu0.7) focal-security; urgency=medium
* SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
- debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
being accepted in URLValidator in django/core/validators.py,
tests/validators/tests.py.
- CVE-2021-32052
* SECURITY UPDATE: potential directory traversal via admindocs
- debian/patches/CVE-2021-33203.patch: use safe_join in
django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
- CVE-2021-33203
* SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
- debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
addresses in django/core/validators.py,
tests/validators/invalid_urls.txt, tests/validators/tests.py,
tests/validators/valid_urls.txt.
- CVE-2021-33571
-- Marc Deslauriers <email address hidden> Wed, 26 May 2021 08:58:41 -0400
-
python-django (2:2.2.12-1ubuntu0.6) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-31542.patch: tighten path & file name
sanitation in file uploads in django/core/files/storage.py,
django/core/files/uploadedfile.py, django/core/files/utils.py,
django/db/models/fields/files.py, django/http/multipartparser.py,
django/utils/text.py, tests/file_storage/test_generate_filename.py,
tests/file_uploads/tests.py, tests/utils_tests/test_text.py,
tests/forms_tests/field_tests/test_filefield.py.
- CVE-2021-31542
-- Marc Deslauriers <email address hidden> Wed, 28 Apr 2021 06:39:44 -0400
-
python-django (2:2.2.12-1ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
django/http/multipartparser.py, tests/file_uploads/tests.py,
tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
tests/file_uploads/views.py.
- CVE-2021-28658
-- Marc Deslauriers <email address hidden> Tue, 30 Mar 2021 14:53:19 -0400
-
python-django (2:2.2.12-1ubuntu0.4) focal-security; urgency=medium
* SECURITY UPDATE: Web cache poisoning via limited_parse_qsl()
- debian/patches/CVE-2021-23336.patch: no longer allow ; in parse_qsl()
in django/utils/http.py, tests/handlers/test_exception.py,
tests/requests/test_data_upload_settings.py,
tests/utils_tests/test_http.py.
- CVE-2021-23336
-- Marc Deslauriers <email address hidden> Thu, 18 Feb 2021 10:40:54 -0500
-
python-django (2:2.2.12-1ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
django/utils/archive.py.
- CVE-2021-3281
-- Marc Deslauriers <email address hidden> Mon, 25 Jan 2021 07:31:24 -0500
-
python-django (2:2.2.12-1ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Incorrect permissions on intermediate-level
directories on Python 3.7+
- debian/patches/CVE-2020-24583.patch: set umask in
django/core/files/storage.py, added test and test files to tests/*.
- CVE-2020-24583
* SECURITY UPDATE: Permission escalation in intermediate-level
directories of the file system cache on Python 3.7+
- debian/patches/CVE-2020-24584.patch: set umask in
django/core/cache/backends/filebased.py, added test to
tests/cache/tests.py.
- CVE-2020-24584
-- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 09:58:36 -0400
-
python-django (2:2.2.12-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Potential data leakage via malformed memcached keys
- debian/patches/CVE-2020-13254.patch: enforced cache key validation in
memcached backends in django/core/cache/__init__.py,
django/core/cache/backends/base.py,
django/core/cache/backends/memcached.py, tests/cache/tests.py.
- CVE-2020-13254
* SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
- debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
- CVE-2020-13596
-- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:10:05 -0400
-
python-django (2:2.2.12-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.0/releases/2.2.12/>
-- Chris Lamb <email address hidden> Wed, 01 Apr 2020 10:43:19 +0100
-
python-django (2:2.2.11-1) unstable; urgency=medium
* New upstream security release. (Closes: #953102)
<https://www.djangoproject.com/weblog/2020/mar/04/security-releases/>
-- Chris Lamb <email address hidden> Wed, 04 Mar 2020 08:01:27 -0800
-
python-django (2:2.2.10-1ubuntu1) focal; urgency=medium
* SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
- debian/patches/CVE-2020-9402.patch: properly escaped tolerance
parameter in GIS functions and aggregates on Oracle in
django/contrib/gis/db/models/aggregates.py,
django/contrib/gis/db/models/functions.py,
tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
- CVE-2020-9402
-- Marc Deslauriers <email address hidden> Wed, 04 Mar 2020 09:05:10 -0500
-
python-django (2:2.2.10-1) unstable; urgency=medium
* New upstream security release. (Closes: #950581)
<https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>
* Bump Standards-Version to 4.5.0.
-- Chris Lamb <email address hidden> Tue, 04 Feb 2020 17:19:01 +0100
-
python-django (2:2.2.9-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Mark a few failing tests as expected.
python-django (2:2.2.9-2) unstable; urgency=medium
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
python-django (2:2.2.9-1) unstable; urgency=medium
* New upstream security release. (Closes: #946937)
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>
python-django (2:2.2.8-1) unstable; urgency=medium
* New upstream security release.
<https://www.djangoproject.com/weblog/2019/dec/02/security-releases/>
python-django (2:2.2.7-1) unstable; urgency=medium
[ Chris Lamb ]
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.7/>
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.1.
-- Gianfranco Costamagna <email address hidden> Thu, 02 Jan 2020 14:23:51 +0100
-
python-django (2:2.2.9-2) unstable; urgency=medium
* Add python3-selenium to test-dependencies and to a runtime "Suggests".
(Closes: #947549)
-- Chris Lamb <email address hidden> Sat, 28 Dec 2019 11:11:37 +0000
-
python-django (2:2.2.6-1ubuntu1) focal; urgency=medium
* Mark a few failing tests as expected.
-- Dimitri John Ledkov <email address hidden> Fri, 01 Nov 2019 00:13:50 +0000
-
python-django (2:2.2.6-1) unstable; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/2.2/releases/2.2.6/>
-- Chris Lamb <email address hidden> Tue, 01 Oct 2019 10:44:50 +0100
-
python-django (1:1.11.22-1ubuntu1) eoan; urgency=medium
* SECURITY UPDATE: Denial-of-service possibility in
django.utils.text.Truncator
- debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
backtracking issues when truncating HTML in django/utils/text.py,
tests/template_tests/filter_tests/test_truncatewords_html.py,
tests/utils_tests/test_text.py.
- CVE-2019-14232
* SECURITY UPDATE: Denial-of-service possibility in strip_tags()
- debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
recursion in strip_tags() when handling incomplete HTML entities in
django/utils/html.py, tests/utils_tests/test_html.py.
- CVE-2019-14233
* SECURITY UPDATE: SQL injection possibility in key and index lookups for
JSONField/HStoreField
- debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
key and index lookups against SQL injection in
django/contrib/postgres/fields/hstore.py,
django/contrib/postgres/fields/jsonb.py,
tests/postgres_tests/test_hstore.py,
tests/postgres_tests/test_json.py.
- CVE-2019-14234
* SECURITY UPDATE: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2019-14235.patch: fixed potential memory
exhaustion in django.utils.encoding.uri_to_iri() in
django/utils/encoding.py, tests/utils_tests/test_encoding.py.
- CVE-2019-14235
-- Marc Deslauriers <email address hidden> Thu, 19 Sep 2019 16:21:15 +0200
