| 2021-10-13 04:06:06 |
Bryce Harrington |
bug |
|
|
added bug |
| 2021-10-13 04:06:08 |
Bryce Harrington |
bug |
|
|
added subscriber Canonical Server Team |
| 2021-10-14 15:11:39 |
Athos Ribeiro |
python-django (Ubuntu): assignee |
|
Athos Ribeiro (athos-ribeiro) |
|
| 2021-10-19 03:35:18 |
Bryce Harrington |
description |
Scheduled-For: 22.12
Upstream: tbd
Debian: 2:3.2.8-1 2:4.0~alpha1-1
Ubuntu: 2:2.2.24-1ubuntu1
Debian new has 2:4.0~alpha1-1
### New Debian Changes ###
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping patches).
-- Chris Lamb <lamby@debian.org> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <lamby@debian.org> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing 'django-admin.py' deprecation message when using 'django-admin'.
(Closes: #991098)
-- Chris Lamb <lamby@debian.org> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
### Old Ubuntu Delta ###
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300
|
Upstream: 3.2.8
Debian: 2:3.2.8-1 2:4.0~alpha1-1
Ubuntu: 2:2.2.24-1ubuntu1
Debian new has 2:4.0~alpha1-1
### New Debian Changes ###
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping patches).
-- Chris Lamb <lamby@debian.org> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <lamby@debian.org> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing 'django-admin.py' deprecation message when using 'django-admin'.
(Closes: #991098)
-- Chris Lamb <lamby@debian.org> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
### Old Ubuntu Delta ###
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300 |
|
| 2021-10-19 03:36:25 |
Bryce Harrington |
description |
Upstream: 3.2.8
Debian: 2:3.2.8-1 2:4.0~alpha1-1
Ubuntu: 2:2.2.24-1ubuntu1
Debian new has 2:4.0~alpha1-1
### New Debian Changes ###
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping patches).
-- Chris Lamb <lamby@debian.org> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <lamby@debian.org> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing 'django-admin.py' deprecation message when using 'django-admin'.
(Closes: #991098)
-- Chris Lamb <lamby@debian.org> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
### Old Ubuntu Delta ###
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300 |
Upstream: 3.2.8
Debian: 2:3.2.8-1 2:4.0~alpha1-1
Ubuntu: 2:2.2.24-1ubuntu1
Debian experimental has 2:4.0~alpha1-1
### New Debian Changes ###
python-django (2:3.2.8-1) unstable; urgency=medium
* New upstream bugfix release.
* Drop a patch applied upstream.
* Bump Standards-Version to 4.6.0.
-- Chris Lamb <lamby@debian.org> Tue, 05 Oct 2021 09:34:57 +0100
python-django (2:3.2.7-4) unstable; urgency=medium
* Skip a test that is fixed upstream (with a number of overlapping patches).
-- Chris Lamb <lamby@debian.org> Mon, 13 Sep 2021 09:03:27 +0100
python-django (2:3.2.7-3) unstable; urgency=medium
* Actually upload 3.2 branch to unstable...
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 17:49:23 +0100
python-django (2:3.2.7-2) experimental; urgency=medium
* Upload 3.2 branch to unstable.
-- Chris Lamb <lamby@debian.org> Thu, 09 Sep 2021 15:51:11 +0100
python-django (2:3.2.7-1) experimental; urgency=medium
* New upstream bugfix release.
-- Chris Lamb <lamby@debian.org> Wed, 01 Sep 2021 10:46:07 +0100
python-django (2:3.2.6-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/3.2/releases/3.2.6/>
* Bump Standards-Version to 4.5.1.
-- Chris Lamb <lamby@debian.org> Mon, 02 Aug 2021 09:16:21 +0100
python-django (2:3.2.5-2) experimental; urgency=medium
* Don't symlink /usr/bin/django-admin to 'django-admin.py'; ship the script
generated by the entry_points system instead, otherwise we introduce a
confusing 'django-admin.py' deprecation message when using 'django-admin'.
(Closes: #991098)
-- Chris Lamb <lamby@debian.org> Thu, 15 Jul 2021 13:54:57 +0100
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <lamby@debian.org> Thu, 01 Jul 2021 10:56:07 +0100
python-django (2:3.2.4-1) experimental; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
### Old Ubuntu Delta ###
python-django (2:2.2.24-1ubuntu1) impish; urgency=medium
* d/p/test_subparser_regression.patch: Fix test regression (LP: #1945993)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 04 Oct 2021 10:56:57 -0300 |
|
| 2021-10-19 03:36:28 |
Bryce Harrington |
python-django (Ubuntu): milestone |
|
ubuntu-21.11 |
|
| 2021-11-02 16:20:10 |
Robie Basak |
python-django (Ubuntu): assignee |
Athos Ribeiro (athos-ribeiro) |
Lena Voytek (lvoytek) |
|
| 2021-11-02 16:20:16 |
Robie Basak |
python-django (Ubuntu): status |
New |
In Progress |
|
| 2021-11-05 15:38:36 |
Lena Voytek |
bug |
|
|
added subscriber Lena Voytek |
| 2021-11-24 11:39:08 |
Christian Ehrhardt |
python-django (Ubuntu): status |
In Progress |
Fix Released |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
bug watch added |
|
http://code.djangoproject.com/ticket/32690 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2020-13596 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2020-24583 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2020-24584 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-23336 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-28658 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-31542 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-32052 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-33203 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-33571 |
|
| 2021-11-24 11:39:10 |
Christian Ehrhardt |
cve linked |
|
2021-35042 |
|
| 2021-11-24 11:39:18 |
Christian Ehrhardt |
python-django (Ubuntu): status |
Fix Released |
Fix Committed |
|
| 2022-03-30 15:22:49 |
Lena Voytek |
python-django (Ubuntu): status |
Fix Committed |
Fix Released |
|
