Merge python-django from Debian unstable for 22.04

Bug #1946890 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Undecided
Athos Ribeiro

Bug Description

Upstream: 3.2.8
Debian: 2:3.2.8-1 2:4.0~alpha1-1
Ubuntu: 2:2.2.24-1ubuntu1

Debian experimental has 2:4.0~alpha1-1

### New Debian Changes ###

python-django (2:3.2.8-1) unstable; urgency=medium

  * New upstream bugfix release.
  * Drop a patch applied upstream.
  * Bump Standards-Version to 4.6.0.

 -- Chris Lamb <email address hidden> Tue, 05 Oct 2021 09:34:57 +0100

python-django (2:3.2.7-4) unstable; urgency=medium

  * Skip a test that is fixed upstream (with a number of overlapping patches).

 -- Chris Lamb <email address hidden> Mon, 13 Sep 2021 09:03:27 +0100

python-django (2:3.2.7-3) unstable; urgency=medium

  * Actually upload 3.2 branch to unstable...

 -- Chris Lamb <email address hidden> Thu, 09 Sep 2021 17:49:23 +0100

python-django (2:3.2.7-2) experimental; urgency=medium

  * Upload 3.2 branch to unstable.

 -- Chris Lamb <email address hidden> Thu, 09 Sep 2021 15:51:11 +0100

python-django (2:3.2.7-1) experimental; urgency=medium

  * New upstream bugfix release.

 -- Chris Lamb <email address hidden> Wed, 01 Sep 2021 10:46:07 +0100

python-django (2:3.2.6-1) experimental; urgency=medium

  * New upstream bugfix release.
    <https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
  * Bump Standards-Version to 4.5.1.

 -- Chris Lamb <email address hidden> Mon, 02 Aug 2021 09:16:21 +0100

python-django (2:3.2.5-2) experimental; urgency=medium

  * Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script
    generated by the entry_points system instead, otherwise we introduce a
    confusing 'django-admin.py' deprecation message when using 'django-admin'.
    (Closes: #991098)

 -- Chris Lamb <email address hidden> Thu, 15 Jul 2021 13:54:57 +0100

python-django (2:3.2.5-1) experimental; urgency=medium

  * New upstream security release:

    - CVE-2021-35042: Potential SQL injection via unsanitized
      QuerySet.order_by() input.

      Unsanitized user input passed to QuerySet.order_by() could bypass
      intended column reference validation in path marked for deprecation
      resulting in a potential SQL injection even if a deprecation warning is
      emitted. As a mitigation, the strict column reference validation was
      restored for the duration of the deprecation period. This regression
      appeared in Django version 3.1 as a side effect of fixing another bug
      (#31426).

    For more information, please see:
    <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>

 -- Chris Lamb <email address hidden> Thu, 01 Jul 2021 10:56:07 +0100

python-django (2:3.2.4-1) experimental; urgency=medium

  * New upstream security release. (Closes: #989394)

    - CVE-2021-33203: Potential directory traversal via admindocs

      Staff members could use the admindocs TemplateDetailView view to
      check the existence of arbitrary files. Additionally, if (and only
      if) the default admindocs templates have been customized by the
      developers to also expose the file contents, then not only the
      existence but also the file contents would have been exposed.

      As a mitigation, path sanitation is now applied and only files
      within the template root directories can be loaded.

      This issue has low severity, according to the Django security
      policy.

      Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
      the CodeQL Python team for the report.

    - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
      since validators accepted leading zeros in IPv4 addresses

      URLValidator, validate_ipv4_address(), and
      validate_ipv46_address() didn't prohibit leading zeros in octal
      literals. If you used such values you could suffer from
      indeterminate SSRF, RFI, and LFI attacks.

      validate_ipv4_address() and validate_ipv46_address() validators
      were not affected on Python 3.9.5+.

### Old Ubuntu Delta ###

python-django (2:2.2.24-1ubuntu1) impish; urgency=medium

  * d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)

 -- Athos Ribeiro <email address hidden> Mon, 04 Oct 2021 10:56:57 -0300

Changed in python-django (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Bryce Harrington (bryce)
description: updated
description: updated
Changed in python-django (Ubuntu):
milestone: none → ubuntu-21.11
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers