1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted python-django 2:2.2.28-1~deb11u1 (source all) into proposed-up

    From Debian FTP Masters@21:1/5 to All on Thu Oct 20 22:50:02 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Format: 1.8
    Date: Fri, 14 Oct 2022 10:02:41 -0700
    Source: python-django
    Binary: python-django-doc python3-django
    Architecture: source all
    Version: 2:2.2.28-1~deb11u1
    Distribution: bullseye-security
    Urgency: medium
    Maintainer: Debian Python Team <team+python@tracker.debian.org>
    Changed-By: Chris Lamb <lamby@debian.org>
    Description:
    python-django-doc - High-level Python web development framework (documentation)
    python3-django - High-level Python web development framework
    Closes: 1004752 1009677 1014541
    Changes:
    python-django (2:2.2.28-1~deb11u1) bullseye-security; urgency=medium
    .
    * New upstream security release:
    <https://docs.djangoproject.com/en/4.0/releases/2.2.28/>
    .
    - CVE-2022-28346: Prevent a potential SQL injection in QuerySet.annotate(),
    aggregate() and extra(). These methods were subject to SQL injection in
    column aliases. (Closes: #1009677)
    .
    - CVE-2022-28347: Prevent a SQL injection attack via
    QuerySet.explain(**options) when using the PostgreSQL database.
    QuerySet.explain() method was subject to SQL injection in option names.
    (Closes: #1009677)
    .
    * Incorporates changes from previous 2.2.27 security release:
    <https://docs.djangoproject.com/en/4.0/releases/2.2.27/>
    .
    - CVE-2022-22818: Prevent a possible XSS vulnerability via the {% debug %}
    template tag. This tag didn't correctly encode the current context,
    posing an XSS attack vector. In order to avoid this vulnerability, {%
    debug %} no longer outputs information when the DEBUG setting is False,
    and it ensures all context variables are correctly escaped when the
    DEBUG setting is True. (Closes: #1004752)
    .
    - CVE-2022-23833: Prevent a denial-of-service opportunity in file uploads.
    Passing certain inputs to multipart forms could result in an infinite
    loop when parsing files. (Closes: #1004752)
    .
    * Additionally backport the following patches from upstream:
    .
    - CVE-2022-34265: Prevent an issue with the Trunc() and Extract() database
    functions which were potentially subject to SQL injection if untrusted
    data was used as a kind/lookup_name value. Applications that constrain
    the lookup name and kind choice to a known safe list were unaffected by
    this vulnerability. (Closes: #1014541)
    .
    - CVE-2022-36359: Fix a reflected file download (RFD) attack that could be
    exploited if the application sets the Content-Disposition header of a
    FileResponse derived from user-supplied input.
    .
    - CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
    internationalised URLs that was exploitable via the "locale" parameter.
    This is now escaped to avoid this possibility.
    Checksums-Sha1:
    9cddce1870db7624f6e9b8cdcf98653eec45d41d 2811 python-django_2.2.28-1~deb11u1.dsc
    0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543 python-django_2.2.28.orig.tar.gz
    b78623bbfa58f320c83472c8a8ef2c0b66a03e09 31420 python-django_2.2.28-1~deb11u1.debian.tar.xz
    45c5ff3bd4c47eca4fe153b91d7cd36f39a38b03 3180904 python-django-doc_2.2.28-1~deb11u1_all.deb
    a07943d495cd7b90db6c3312bffb2f701da61557 13889 python-django_2.2.28-1~deb11u1_amd64.buildinfo
    c4452496092e117a41a7f7a69dbad62c41ab665d 2684524 python3-django_2.2.28-1~deb11u1_all.deb
    Checksums-Sha256:
    60f516ebc4090d52fea1603e35bed69a4b20276d3ec67d33af14ccee7c8c692b 2811 python-django_2.2.28-1~deb11u1.dsc
    0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543 python-django_2.2.28.orig.tar.gz
    fdd1152d77b4e4ddeeabf570f101facb17f29c25600ea124d1972bccbfaf9a38 31420 python-django_2.2.28-1~deb11u1.debian.tar.xz
    098509e19f190d4944e6a0ffb85056c8269b91e672981efb72513473d397f17c 3180904 python-django-doc_2.2.28-1~deb11u1_all.deb
    2ae3aa1df653b2b7263cc3cff665565c5278a68a117220d66cb7318b864eaeeb 13889 python-django_2.2.28-1~deb11u1_amd64.buildinfo
    0df5e64763f7ec5c6023cb5b7d0df1136b0573735db30ab3d5a1f723ae2520e7 2684524 python3-django_2.2.28-1~deb11u1_all.deb
    Files:
    1bded5ba447331b41628246ab0830184 2811 python optional python-django_2.2.28-1~deb11u1.dsc
    62550f105ef66ac7d08e0126f457578a 9187543 python optional python-django_2.2.28.orig.tar.gz
    a21053bbb107df253aabfe9afee729e2 31420 python optional python-django_2.2.28-1~deb11u1.debian.tar.xz
    2f3eaf451296f52b24342a687011f279 3180904 doc optional python-django-doc_2.2.28-1~deb11u1_all.deb
    b3262db3c110b64f59e87aab36999543 13889 python optional python-django_2.2.28-1~deb11u1_amd64.buildinfo
    6e0a9e69aa96b9fa74fd0f99e98854f5 2684524 python optional python3-django_2.2.28-1~deb11u1_all.deb

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNJticACgkQHpU+J9Qx HlgqQBAAnn8Wdktc4ctzmqkoYXPl24oj6gBGJSXBfwXSaz5Z80FEovL9U37RBBC8 UyFlwt4VVqq1wgMgYhP0ubxSh2w2XeO27Q28iIULtCzt/z7S88ZyQGurYBz99+7/ ++AbirEK4nqjlUo02Nl4GJnzPPnjl+dIbw1e9njeDG+6lZ7MW07bUUf8+PJ+nkhA owDdM5+ozOayW1Y9u3rhqw0X501DK1jAb93SuhJTxkTm7ISp+hnvj7ZNzIG5e1n7 AWE4xc1UpFXMYwP1NShbppBDOx0HG9wyqGZ34kuEgQZJeGQm1RHqlTg1xIgJ8rz7 FBYOUHqan1VUvs0pfq5hjTt5/DpRu7IGEapw+jAcNMP7zTlqDBD3lhrUUkzOqsRk mcEOByaltcMQs+OfQH/C/Hi2c8C+kA1Ztpwpp3Bc3wXDqcLJn3onziDg8gsSrYbY y2IAqdmTxdp/fvzNVQuep3GKzMifeqycnubXjyQU6Muyl7CofT5IQpLHpgRj7aCq NQEYjhKgU2eTzmQMT2XvV5Ou2tQT37OftmpH1r+yq2f+ADLolL+6Oe3uoirnnJBm BGwWwT8n7peqSqNt/oqc80mjSlKwXlBsY0f+Z1jJlXGxmnN+ckX/m34GvyrNbWqI O9towxUvN9f9TyhT0twSGIvs2b46QOKqRy2JBcd4Pfs6Pybqo88=
    =kczC
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)