Ubuntu
python-django package

Merge python-django from Debian unstable for kinetic

Bug #1971314 reported by Bryce Harrington
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Lena Voytek
Ubuntu ubuntu-22.06

Bug Description

Upstream: tbd
Debian: 2:3.2.13-1 2:4.0.4-1
Ubuntu: 2:3.2.12-2ubuntu1

Debian new has 2:4.0.4-1

### New Debian Changes ###

python-django (2:3.2.13-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
      aggregate(), and extra().

      QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
      injection in column aliases, using a suitably crafted dictionary, with
      dictionary expansion, as the **kwargs passed to these methods.

    - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
      on PostgreSQL.

      QuerySet.explain() method was subject to SQL injection in option names,
      using a suitably crafted dictionary, with dictionary expansion, as the
      **options argument.

    See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
    for more info.

 -- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200

python-django (2:3.2.12-2) unstable; urgency=medium

  * Fix a traceback around the handling of RequestSite/get_current_site() due
    to a circular import by backporting commit 78163d1a from upstream. Thanks
    to Raphaël Hertzog for the report. (Closes: #1003478)

 -- Chris Lamb <email address hidden> Tue, 22 Feb 2022 09:43:02 +0000

python-django (2:3.2.12-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2022-22818: Possible XSS via {% debug %} template tag.

      The {% debug %} template tag didn't properly encode the current context,
      posing an XSS attack vector.

      In order to avoid this vulnerability, {% debug %} no longer outputs
      information when the DEBUG setting is False, and it ensures all context
      variables are correctly escaped when the DEBUG setting is True.

    - CVE-2022-23833: Denial-of-service possibility in file uploads.

      Passing certain inputs to multipart forms could result in an
      infinite loop when parsing files.

    See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
    for more information. (Closes: #1004752)

 -- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:28:58 -0800

python-django (2:3.2.11-2) unstable; urgency=medium

  [ Chris Lamb ]
  * Fix compatibility with SQLite 3.37+. (Closes: #1004464)

  [ Salman Mohammadi]
  * Drop references to the deprecated python3-memcache package.

  [ Mattia Rizzolo ]
  * Add a Breaks against python3-django-countries (<< 7,1~).
  * Add a Breaks against python3-django-tables2 (<< 2.3.4) (see #985774).

 -- Chris Lamb <email address hidden> Fri, 28 Jan 2022 08:52:06 -0800

python-django (2:3.2.11-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2021-45115: Denial-of-service possibility in
      UserAttributeSimilarityValidator

      UserAttributeSimilarityValidator incurred significant overhead evaluating
      submitted password that were artificially large in relative to the
      comparison values. On the assumption that access to user registration was
      unrestricted this provided a potential vector for a denial-of-service
      attack.

      In order to mitigate this issue, relatively long values are now ignored
      by UserAttributeSimilarityValidator.

    - CVE-2021-45116: Potential information disclosure in dictsort template
      filter

      Due to leveraging the Django Template Language's variable resolution
      logic, the dictsort template filter was potentially vulnerable to
      information disclosure or unintended method calls, if passed a
      suitably crafted key.

      In order to avoid this possibility, dictsort now works with a
      restricted resolution logic, that will not call methods, nor allow
      indexing on dictionaries.

    - CVE-2021-45452: Potential directory-traversal via Storage.save()

      Storage.save() allowed directory-traversal if directly passed suitably
      crafted file names.

### Old Ubuntu Delta ###

python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium

  * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
    aggregate(), and extra()
    - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
      aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
      tests/annotations/tests.py, tests/queries/tests.py,
      tests/expressions/test_queryset_values.py.
    - CVE-2022-28346
  * SECURITY UPDATE: Potential SQL injection via
    QuerySet.explain(**options) on PostgreSQL
    - debian/patches/CVE-2022-28347.patch: prevent SQL injection in
      django/db/backends/postgresql/features.py,
      django/db/backends/postgresql/operations.py,
      django/db/models/sql/query.py, tests/queries/test_explain.py.
    - CVE-2022-28347

 -- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400

Related branches

~lvoytek/ubuntu/+source/python-django:merge-lp1971314-kinetic
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server: Pending requested
Diff: 665 lines (+290/-26) (has conflicts)
23 files modified
Django.egg-info/PKG-INFO (+1/-1)
Django.egg-info/SOURCES.txt (+2/-0)
PKG-INFO (+1/-1)
debian/changelog (+32/-0)
debian/patches/0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch (+7/-7)
debian/patches/0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch (+3/-3)
django/__init__.py (+1/-1)
django/db/backends/postgresql/features.py (+0/-1)
django/db/backends/postgresql/operations.py (+23/-6)
django/db/models/sql/query.py (+24/-0)
django/template/autoreload.py (+2/-2)
docs/releases/2.2.27.txt (+1/-1)
docs/releases/2.2.28.txt (+22/-0)
docs/releases/3.2.12.txt (+1/-1)
docs/releases/3.2.13.txt (+30/-0)
docs/releases/index.txt (+2/-0)
docs/releases/security.txt (+26/-0)
tests/aggregation/tests.py (+9/-0)
tests/annotations/tests.py (+43/-0)
tests/expressions/test_queryset_values.py (+9/-0)
tests/queries/test_explain.py (+31/-2)
tests/queries/tests.py (+9/-0)
tests/template_tests/test_autoreloader.py (+11/-0)

CVE References

Bryce Harrington (bryce)
Changed in python-django (Ubuntu):
milestone: none → ubuntu-22.06
Lena Voytek (lvoytek)
Changed in python-django (Ubuntu):
assignee: nobody → Lena Voytek (lvoytek)
Lena Voytek (lvoytek)
Changed in python-django (Ubuntu):
status: New → In Progress
Revision history for this message
Bryce Harrington (bryce) wrote :

This bug was fixed in the package python-django - 2:3.2.13-1
Sponsored for Lena Voytek (lvoytek)

---------------
python-django (2:3.2.13-1) unstable; urgency=high

  * New upstream security release:

    - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
      aggregate(), and extra().

      QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
      injection in column aliases, using a suitably crafted dictionary, with
      dictionary expansion, as the **kwargs passed to these methods.

    - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
      on PostgreSQL.

      QuerySet.explain() method was subject to SQL injection in option names,
      using a suitably crafted dictionary, with dictionary expansion, as the
      **options argument.

    See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
    for more info.

 -- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200

Changed in python-django (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.