Your message dated Sat, 05 Jun 2021 22:50:55 +0000
with message-id <[email protected]>
and subject line unblock python-django
has caused the Debian Bug report #989426,
regarding unblock: python-django/2:2.2.24-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989426
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
Dear Release Team,
Please consider unblocking python-django 2:2.2.24-1. It actually
constitutes two versions, the first addressing security releases which
should be uncontroversial and the second (2:2.2.23-1) fixes a
regression from the previous version. Quoting from the debdiff (which
can be found attached):
* Fixed a regression in Django 2.2.21 where saving ``FileField`` would raise
a
``SuspiciousFileOperation`` even when a custom
:attr:`~django.db.models.FileField.upload_to` returns a valid file path
(:ticket:`32718`).
This unblock would also incorporate a minor upstream change to the
documentation that points to Libera.chat over Freenode for the
project's IRC channel.
python-django (2:2.2.24-1) unstable; urgency=medium
* New upstream security release. (Closes: #989394)
- CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
-- Chris Lamb <[email protected]> Wed, 02 Jun 2021 16:15:13 +0100
python-django (2:2.2.23-1) unstable; urgency=medium
* New upstream release.
<https://docs.djangoproject.com/en/3.2/releases/2.2.23/>
-- Chris Lamb <[email protected]> Thu, 13 May 2021 10:41:04 +0100
As mentioned above, the full debdiff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
