Back to python-django PTS page

Accepted python-django 1.7.11-1+deb8u7 (source all) into oldoldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 06 Aug 2019 10:34:56 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Built-For-Profiles: nocheck
Architecture: source all
Version: 1.7.11-1+deb8u7
Distribution: jessie-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 934026
Changes:
 python-django (1.7.11-1+deb8u7) jessie-security; urgency=high
 .
   * Backport two security patches from upstream. (Closes: #934026)
     <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
 .
     - CVE-2019-14232: Prevent a possible denial-of-service in
       django.utils.text.Truncator.
 .
       If django.utils.text.Truncator's chars() and words() methods were passed
       the html=True argument, they were extremely slow to evaluate certain inputs
       due to a catastrophic backtracking vulnerability in a regular expression.
       The chars() and words() methods are used to implement the
       truncatechars_html and truncatewords_html template filters, which were thus
       vulnerable.
 .
       The regular expressions used by Truncator have been simplified in order to
       avoid potential backtracking issues. As a consequence, trailing punctuation
       may now at times be included in the truncated output.
 .
     - CVE-2019-14233: Prevent a possible denial-of-service in strip_tags().
 .
       Due to the behavior of the underlying HTMLParser,
       django.utils.html.strip_tags() would be extremely slow to evaluate
       certain inputs containing large sequences of nested incomplete HTML
       entities. The strip_tags() method is used to implement the corresponding
       striptags template filter, which was thus also vulnerable.
 .
       strip_tags() now avoids recursive calls to HTMLParser when progress
       removing tags, but necessarily incomplete HTML entities, stops being made.
 .
       Remember that absolutely NO guarantee is provided about the results of
       strip_tags() being HTML safe. So NEVER mark safe the result of a
       strip_tags() call without escaping it first, for example with
       django.utils.html.escape().
 .
   * Correct a previous changelog entry to refer to CVE-2019-12781, not
     CVE-2019-12308.
Checksums-Sha1:
 db39727864864bc8237e2ffcd75efb4cec4bfb18 2721 python-django_1.7.11-1+deb8u7.dsc
 f9abaf7eacec73bc1c5e6080e2778a7174ebf9d4 7586798 python-django_1.7.11.orig.tar.gz
 ca70dd4717c1bbf9f70f1a4ac080981f63a36bde 39460 python-django_1.7.11-1+deb8u7.debian.tar.xz
 bfb2f2214ab06c475ad88d57bd3b06c44499fd6c 992498 python-django_1.7.11-1+deb8u7_all.deb
 661b97d163220b3b8e50ab5f280e91c57c45e4d3 975642 python3-django_1.7.11-1+deb8u7_all.deb
 00c52c8d9a4675d472b2394fb120ff834d22139e 1499308 python-django-common_1.7.11-1+deb8u7_all.deb
 bfd33d5510dd02ae0ff42d2377ea2d752ea8a932 2486888 python-django-doc_1.7.11-1+deb8u7_all.deb
Checksums-Sha256:
 df0416d21d204ec0fad7abf0ed8552e10b2834c97b0132984a8bc6de594f4973 2721 python-django_1.7.11-1+deb8u7.dsc
 2039144fce8f1b603d03fa5a5643578df1ad007c4ed41a617f02a3943f7059a1 7586798 python-django_1.7.11.orig.tar.gz
 ce02315bb8577a1b075af54f83da3330a76b5997d9d89710d48ca27c215fcdcb 39460 python-django_1.7.11-1+deb8u7.debian.tar.xz
 fac4403c64cbd796c4867ab106ff60a782337896541242039872057589373196 992498 python-django_1.7.11-1+deb8u7_all.deb
 24c2a93c743e7e0843b062df15cdb4e58c61073dba6df52b05dcf31877cd4722 975642 python3-django_1.7.11-1+deb8u7_all.deb
 80b9ff8920a676765d1aed996795cad24191f4be08d353efc1155b19106b965c 1499308 python-django-common_1.7.11-1+deb8u7_all.deb
 a907686e253f1652a8956c6dd5c0460a8757770dca0054f1d8b78cfab4f7d2cf 2486888 python-django-doc_1.7.11-1+deb8u7_all.deb
Files:
 a3cdcd8949027bbcbf8fbed35d3415cd 2721 python optional python-django_1.7.11-1+deb8u7.dsc
 030b2f9c99a6e4e0418eadf7dba9e235 7586798 python optional python-django_1.7.11.orig.tar.gz
 0868f9949d46a5b11208c6b865b457eb 39460 python optional python-django_1.7.11-1+deb8u7.debian.tar.xz
 e2fab59bdd4badf4a77e51fe91f6305d 992498 python optional python-django_1.7.11-1+deb8u7_all.deb
 8da5a88692f6c7d838face6bc2ae66c0 975642 python optional python3-django_1.7.11-1+deb8u7_all.deb
 23a675259cf8499bbbead48a355098a0 1499308 python optional python-django-common_1.7.11-1+deb8u7_all.deb
 cb3946720cd7e0097d596c28cf4dcada 2486888 doc optional python-django-doc_1.7.11-1+deb8u7_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1Jf2QACgkQHpU+J9Qx
Hli1bA/+MUDqzIrQJSt7Rj1FCQVAGOyXkHMM5Ap73TOkN1I87m4AjbAEObP3zmyU
NT9HwnzWk7qukxVGpDRjZMxFUdEDeKnIPVz6yw5Nxg1vQmnbRtF7QDoNgSM18Vp5
S9rsdGVcdK0ZHQ5UqfSmDhJqySXvy5lO3WecLiXeL1+YOYo1cXz23/lKH+/Eji/f
A6hUX7r/8GNg8+dgQ1HsQxqiwPjLPorHbT6dWIDHPNmr00JY3n+Ur5j1MuqGaiGX
kYPMrvRZHx0tjxy9uQo71+d9IPsholMiao19hAzq+5mecl0jqm30ugU2C5zTzNcM
iqyVIe2JL/zuuSJpLtVKztxFG58fxgpCbeIkCfXC79klUVaNKWX+StaWEEzgT4c4
wD4ABfFT5WLkzLOpUkUGfl2gog7bCR+rlgiUDcK6Ahgh9dN6CJcrJpB+AGhnc/+L
9uYGo+tOOSkojjGTjTDCFTLNhRB5QONX0zR3N2QHiq5l2KEWPA7COn7t5Q03iiO9
qWlTbyly7qR0VDJO8YHJU+Jo+RnS6h6EJjZY5E73fpx8NqoXBkBt6srVUNZH8bz6
Ax1jUch1OEq7g9di5rULHkt76sdz3CPsO2Ih0yYkYks0Vvd5bOAplHhxX/ZgjpFD
53QlAgNCysvv5T9sDoM12GNU7p+HG5UL1GRFabw5ga8c6HGYnTY=
=zZgp
-----END PGP SIGNATURE-----