Accepted python-django 2:3.2.11-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Jan 2022 12:35:16 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.11-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1003113
Changes:
python-django (2:3.2.11-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
Checksums-Sha1:
65976c9ce24d08d5a1e9e7d358281a430c512b56 2807 python-django_3.2.11-1.dsc
2a6c6ad3a7979f26e1ebf9489ec68eaa2bdef6cd 9821958 python-django_3.2.11.orig.tar.gz
39a6e2055bbed12bc9860f0114336e136340f4cf 34244 python-django_3.2.11-1.debian.tar.xz
a93220b0fd4e61f093b0b46b865d19db3a5cce25 7979 python-django_3.2.11-1_amd64.buildinfo
Checksums-Sha256:
4fc271234dfa156b49b4f7cac8f47388c3dd35c7ccb152c1a5453e7490cf530b 2807 python-django_3.2.11-1.dsc
69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75 9821958 python-django_3.2.11.orig.tar.gz
0a54468ae6869cfbe15f4770818fcf1c0f59dce3299390707346a9148537a6f2 34244 python-django_3.2.11-1.debian.tar.xz
c97509346848cdc8f4e148a7c7e4c34c4bef560940baa7b2c1347a61683e9846 7979 python-django_3.2.11-1_amd64.buildinfo
Files:
d21c95b006db9c0772c57d5c77a09c48 2807 python optional python-django_3.2.11-1.dsc
6c4a53d2ccb464bc3dd772c6f2f07df9 9821958 python optional python-django_3.2.11.orig.tar.gz
9c3515e7da562938b2fe2db3b6081f7f 34244 python optional python-django_3.2.11-1.debian.tar.xz
5b10b781ffb89bfa98734d6d1ac46b32 7979 python optional python-django_3.2.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUXHwACgkQHpU+J9Qx
Hlg5qxAAiyxmddPPLEPv1aO/nUxRVA/7tEzC0SI1wLDTRPYiGUS21ktLNGXmPJgX
B6ehFrsnvq3TFiwRRhgv4e8DeYaZlIS+vID0H8cJKLjlwp7jhnXpAwIhw3QrpX5n
yhzK77LIbnCe6hZE4j5B3NEl4EcjdAKyHrb/cLSba9RQwKPPKdxG19gbG2cJ8i4p
LZ6z5NpmyVHXReMsjSHJCidVbEI1jntiJcqwTPgW/tVcENXTh4zgVvijqHkv7wnj
nNGIdI1uK/nPa3u6duBRS0hdLZmNAcWB5NTyDY+Y3Ew/MsRQCtA1cobThew7b1Dx
6V4aGWru5iJea66vrMGFYAayA/RlbyeN/OfGaTdb2LA8Uu/vbzhdisHWXefe/i7R
XIz6n1XahUzt/6809uUgjoxviGJLHG/EjsXi21Pf04p+cLADLH1BmwUF/L5HEOSp
e64aq159FGFIv5oElkvS1I8HKsjYMQ30+WX+k1tycvTu/uXM0fI9KszEvOI1Mzhs
cFDUXKxFszroRlk5he7Oi3W1eEPVWaba4DCgV4RkfvOf9zmCOmz6xqVUFAiRHYFq
47hqiV9A41nedEpMpgFoL7E65nHniAn6/d5azfZeRhDnf88JY3NeN9ZPnn12lJAb
jf+TqTwwFnTAgjdwndqeF3+GuxMBhymPYXCW3poGOJGgod2FPSc=
=xGpu
-----END PGP SIGNATURE-----