-
python-django (3:4.2.4-1ubuntu2.2) mantic-security; urgency=medium
* SECURITY UPDATE: regular expression denial-of-service
- debian/patches/CVE-2024-27351.patch: prevented potential ReDoS in
Truncator.words() in django/utils/text.py,
tests/utils_tests/test_text.py.
- CVE-2024-27351
-- Marc Deslauriers <email address hidden> Mon, 26 Feb 2024 11:51:37 -0500
-
python-django (3:4.2.4-1ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2024-24680.patch: rewrite
regex logic to avoid DoS in django/contrib/humanize/templatetags
/humanize.py, tests/humanize_tests/tests.py.
- CVE-2024-24680
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 30 Jan 2024 10:38:29 -0300
-
python-django (3:4.2.4-1ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: DoS possibility in django.utils.text.Truncator
- debian/patches/CVE-2023-43665.patch: limit size of input strings in
django/utils/text.py, tests/utils_tests/test_text.py,
docs/ref/templates/builtins.txt.
- CVE-2023-43665
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2023 13:53:21 -0400
-
python-django (3:4.2.4-1ubuntu1) mantic; urgency=medium
* SECURITY UPDATE: DoS in django.utils.encoding.uri_to_iri()
- debian/patches/CVE-2023-41164.patch: properly handle large number of
Unicode characters in django/utils/encoding.py,
tests/utils_tests/test_encoding.py.
- CVE-2023-41164
-- Marc Deslauriers <email address hidden> Mon, 18 Sep 2023 14:41:43 -0400
-
python-django (3:4.2.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/4.2/releases/4.2.4/>
-- Chris Lamb <email address hidden> Wed, 02 Aug 2023 07:53:39 +0100
-
python-django (3:3.2.20-1.1) unstable; urgency=high
[ Gianfranco Costamagna ]
* Non-maintainer upload.
[ Graham Inggs ]
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155, Closes: #1037920)
-- Gianfranco Costamagna <email address hidden> Tue, 04 Jul 2023 09:31:10 +0200
-
python-django (3:3.2.20-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155)
python-django (3:3.2.20-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain
name labels of emails and URLs. (Closes: #1040225)
-- Gianfranco Costamagna <email address hidden> Tue, 04 Jul 2023 09:31:10 +0200
-
python-django (3:3.2.20-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain
name labels of emails and URLs. (Closes: #1040225)
-- Chris Lamb <email address hidden> Mon, 03 Jul 2023 20:34:24 +0100
-
python-django (3:3.2.19-1ubuntu3) mantic; urgency=medium
* Drop 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489.patch and
16729.patch, it seems these are no longer needed
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155)
-- Graham Inggs <email address hidden> Wed, 28 Jun 2023 11:20:10 +0000
-
python-django (3:3.2.19-1ubuntu2) mantic; urgency=medium
* Cherry-pick 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489,
another Python3.12 retro-compatible change.
-- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:22:42 +0200
-
python-django (3:3.2.19-1ubuntu1) mantic; urgency=medium
* debian/patches/16729.patch:
- cherry-pick and adapt upstream Python3.12 test fix
-- Gianfranco Costamagna <email address hidden> Thu, 04 May 2023 09:15:13 +0200
-
python-django (3:3.2.19-1) unstable; urgency=medium
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
For more details on using the new attribute and handling of multiple files
through a single field, see:
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
(Closes: #1035467)
* Bump Standards-Version to 4.6.2.
-- Chris Lamb <email address hidden> Wed, 03 May 2023 09:32:59 -0700
-
python-django (3:3.2.18-1ubuntu1) mantic; urgency=medium
* SECURITY UPDATE: Potential bypass of validation when uploading multiple
files using one form field
- debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
tests/forms_tests/field_tests/test_filefield.py,
tests/forms_tests/widget_tests/test_clearablefileinput.py,
tests/forms_tests/widget_tests/test_fileinput.py.
- CVE-2023-31047
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 09:55:57 -0400
-
python-django (3:3.2.18-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
Passing certain inputs to multipart forms could result in too many open
files or memory exhaustion, and provided a potential vector for a
denial-of-service attack.
The number of files parts parsed is now limited via the new
DATA_UPLOAD_MAX_NUMBER_FILES setting.
Thanks to Jakob Ackermann for the report. (Closes: #1031290)
-- Chris Lamb <email address hidden> Tue, 14 Feb 2023 09:12:57 -0800