Merge python-django from Debian unstable for oracular
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-django (Ubuntu) |
New
|
Undecided
|
Lena Voytek | ||
Bug Description
Upstream: tbd
Debian: 3:4.2.11-1 3:5.0.4-1
Ubuntu: 3:4.2.11-1ubuntu1
Debian new has 3:5.0.4-1, which may be available for merge soon.
If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired.
If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https:/
### New Debian Changes ###
python-django (3:4.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-
<https:/
-- Chris Lamb <email address hidden> Tue, 05 Mar 2024 13:03:35 +0000
python-django (3:4.2.10-1) unstable; urgency=high
* New upstream security release:
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
<https:/
-- Chris Lamb <email address hidden> Tue, 06 Feb 2024 08:15:25 -0800
python-django (3:4.2.9-1) unstable; urgency=medium
* New upstream bugfix release.
<https:/
-- Chris Lamb <email address hidden> Wed, 03 Jan 2024 11:15:04 +0000
python-django (3:4.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
<https:/
-- Chris Lamb <email address hidden> Thu, 07 Dec 2023 13:05:03 +0000
python-django (3:4.2.6-1) unstable; urgency=high
* New upstream security release.
- CVE-2023-43665: Address a denial-of-service possibility in
django.
Following the fix for CVE-2019-14232, the regular expressions used in the
implement
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerabi
The chars() and words() methods are used to implement the
truncatec
thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
<https:/
-- Chris Lamb <email address hidden> Thu, 05 Oct 2023 09:17:06 +0200
python-django (3:4.2.5-2) unstable; urgency=medium
* Upload 4.2.x branch to unstable with a -2 suffix to prevent collision with
previous upload of 3:4.2.5-1 to experimental.
-- Chris Lamb <email address hidden> Sun, 24 Sep 2023 13:52:16 -0700
python-django (3:3.2.21-1) unstable; urgency=high
* New upstream security release:
- CVE-2023-41164: Potential denial of service vulnerability in
django.
denial of service attack via certain inputs with a very large number of
Unicode characters. (Closes: #1051226)
<https:/
* Refresh patches.
-- Chris Lamb <email address hidden> Mon, 04 Sep 2023 11:02:53 -0700
python-django (3:3.2.20-1.1) unstable; urgency=high
[ Gianfranco Costamagna ]
* Non-maintainer upload.
[ Graham Inggs ]
* Cherry-pick upstream commit to fix URLValidator crash in
some edge cases (LP: #2025155, Closes: #1037920)
-- Gianfranco Costamagna <email address hidden> Tue, 04 Jul 2023 09:31:10 +0200
### Old Ubuntu Delta ###
python-django (3:4.2.11-1ubuntu1) noble; urgency=medium
* d/p/fix-
SafeMIMETex
-- Lena Voytek <email address hidden> Tue, 16 Apr 2024 12:25:28 -0700
| Changed in python-django (Ubuntu): | |
| milestone: | none → ubuntu-24.06 |
| Changed in python-django (Ubuntu): | |
| assignee: | nobody → Lena Voytek (lvoytek) |
