-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 13 Jan 2022 11:11:29 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.26-1~deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1003113 1003478 Changes: python-django (2:2.2.26-1~deb11u1) bullseye; urgency=medium . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) . * Fix a traceback around the handling of RequestSite/get_current_site() due to a circular import by backporting commit 78163d1a from upstream. Thanks to Raphaƫl Hertzog for the report. (Closes: #1003478) Checksums-Sha1: baca602a3707fb112803ee2dc6e1d15f0cfb3bc0 2811 python-django_2.2.26-1~deb11u1.dsc 4c917a122b8d79a765e4d6098a59f07144260983 9207984 python-django_2.2.26.orig.tar.gz 046056ae1333d5c2de2c14e57fcd814d2dc293e6 28276 python-django_2.2.26-1~deb11u1.debian.tar.xz 5db4278ee9d7af06ebe2bda85eb5db5fba564698 7825 python-django_2.2.26-1~deb11u1_amd64.buildinfo Checksums-Sha256: 3ad5c9a9653cbd78d410a4da4727672f9a5e62fc8e3aa16cecc7e421a6da8df3 2811 python-django_2.2.26-1~deb11u1.dsc a84c71495d12388ea3e7cb271ba0b6c020e51831477a65e7cd00fe1cce80d103 9207984 python-django_2.2.26.orig.tar.gz 05b73ac1ed05d597f480dd8660241419dd22e8abd89969dca5b08b190085369a 28276 python-django_2.2.26-1~deb11u1.debian.tar.xz 96c0b5fa30b4c1136159283e0a4d21577865509fe64c09e8990163c0531dfeae 7825 python-django_2.2.26-1~deb11u1_amd64.buildinfo Files: 3bdeb77c79b05ca56d820526b047be29 2811 python optional python-django_2.2.26-1~deb11u1.dsc bab60abc268ae5be2cd38ad1ae079d76 9207984 python optional python-django_2.2.26.orig.tar.gz 684ebf29ae23444b3065c7cb48a0bb9b 28276 python optional python-django_2.2.26-1~deb11u1.debian.tar.xz 463d571f36225897895b06ac0189220d 7825 python optional python-django_2.2.26-1~deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHgCg4ACgkQHpU+J9Qx HlhyZhAAkjaXFxoR/HhAywX1rk0VEhmT+PYtZOVg8+zXbyfPL/tMuAPa92P9T+6o Y5/rwVh7mQ6vqFCv5vgQq71qbesaS0ECnKZKbXu+OXrZcegK5AIaTBf2s9pcrfQS IIE33Tiut2GG/L33uLmeFSGxroja2WIpoWzbC6CqYQ+34EsJb0MOa/XSQBMJKlM6 OrXKaij9k33Lc6cyBFWLe0/6E1I8YwhJ5Y12IFO7BJ8nvUKDfXI6JWU4oTeGamfb owg8mMx/s7N56X+jlBOw4lCtpMUzQ4TP2nVFbn0+5/U44lhBTEnTNH2gkIJZcmOC ZjnTOyqvX3TGpSLZS/dpX3Tjk67MvPmNgnKyDRjNjobdUK5DKfF1A1tzHRR/IxWp +rh+Zoery3XuTmAtVSlzQ/Hai6qKKDwonV13cJ0jgbQM2pLONkXQ6lIfuTepCd4r hEj6XyTXQcZZx7f2zpKvA9awQWHAepEMF7AeOXBVoGUy3w3cwBkiPUlK9blqV4p4 7ghKCXwB6v5oRDozVm6dwbuqABh8V3DZyyv0USe7dmKXFonmWTbmX0lW3LEGtu47 mSkI023VD/n62Ot0tXL740t1W+U8x5Le8mmwnstZyOUNHCeCI9b5BVLwStTKAkt8 0dJ5Qd0RcHGQrtvY4M5WddV8tyK/XS6v4EADpCBw8+0jXg6HCE0= =NvYF -----END PGP SIGNATURE-----