Merge python-django from Debian unstable for kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
Upstream: tbd
Debian: 2:3.2.13-1 2:4.0.4-1
Ubuntu: 2:3.2.12-2ubuntu1
Debian new has 2:4.0.4-1
### New Debian Changes ###
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet.
aggregate(), and extra().
QuerySet.
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet.
on PostgreSQL.
QuerySet.
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https:/
for more info.
-- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200
python-django (2:3.2.12-2) unstable; urgency=medium
* Fix a traceback around the handling of RequestSite/
to a circular import by backporting commit 78163d1a from upstream. Thanks
to Raphaël Hertzog for the report. (Closes: #1003478)
-- Chris Lamb <email address hidden> Tue, 22 Feb 2022 09:43:02 +0000
python-django (2:3.2.12-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
See <https:/
for more information. (Closes: #1004752)
-- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:28:58 -0800
python-django (2:3.2.11-2) unstable; urgency=medium
[ Chris Lamb ]
* Fix compatibility with SQLite 3.37+. (Closes: #1004464)
[ Salman Mohammadi]
* Drop references to the deprecated python3-memcache package.
[ Mattia Rizzolo ]
* Add a Breaks against python3-
* Add a Breaks against python3-
-- Chris Lamb <email address hidden> Fri, 28 Jan 2022 08:52:06 -0800
python-django (2:3.2.11-1) unstable; urgency=high
* New upstream security release:
- CVE-2021-45115: Denial-of-service possibility in
UserAttri
UserAttri
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSi
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
Storage.
crafted file names.
### Old Ubuntu Delta ###
python-django (2:3.2.12-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: Potential SQL injection in QuerySet.
aggregate(), and extra()
- debian/
aliases in django/
tests/
tests/
- CVE-2022-28346
* SECURITY UPDATE: Potential SQL injection via
QuerySet.
- debian/
django/
django/
django/
- CVE-2022-28347
-- Marc Deslauriers <email address hidden> Mon, 11 Apr 2022 08:16:53 -0400
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server: Pending requested
-
Diff: 665 lines (+290/-26) (has conflicts)23 files modifiedDjango.egg-info/PKG-INFO (+1/-1)
Django.egg-info/SOURCES.txt (+2/-0)
PKG-INFO (+1/-1)
debian/changelog (+32/-0)
debian/patches/0007-Refs-32786-Made-Query.clear_ordering-not-to-cause-si.patch (+7/-7)
debian/patches/0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch (+3/-3)
django/__init__.py (+1/-1)
django/db/backends/postgresql/features.py (+0/-1)
django/db/backends/postgresql/operations.py (+23/-6)
django/db/models/sql/query.py (+24/-0)
django/template/autoreload.py (+2/-2)
docs/releases/2.2.27.txt (+1/-1)
docs/releases/2.2.28.txt (+22/-0)
docs/releases/3.2.12.txt (+1/-1)
docs/releases/3.2.13.txt (+30/-0)
docs/releases/index.txt (+2/-0)
docs/releases/security.txt (+26/-0)
tests/aggregation/tests.py (+9/-0)
tests/annotations/tests.py (+43/-0)
tests/expressions/test_queryset_values.py (+9/-0)
tests/queries/test_explain.py (+31/-2)
tests/queries/tests.py (+9/-0)
tests/template_tests/test_autoreloader.py (+11/-0)
CVE References
Changed in python-django (Ubuntu): | |
milestone: | none → ubuntu-22.06 |
Changed in python-django (Ubuntu): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in python-django (Ubuntu): | |
status: | New → In Progress |
This bug was fixed in the package python-django - 2:3.2.13-1
Sponsored for Lena Voytek (lvoytek)
---------------
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet. annotate( ),
aggregate(), and extra().
QuerySet. annotate( ), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet. explain( **options)
on PostgreSQL.
QuerySet. explain( ) method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https:/ /www.djangoproj ect.com/ weblog/ 2022/apr/ 11/security- releases/>
for more info.
-- Chris Lamb <email address hidden> Tue, 12 Apr 2022 18:22:30 +0200