Public bug reported: Upstream: tbd Debian: 3:4.2.16-1 3:5.1.2-1 Ubuntu: 3:4.2.15-1ubuntu1
Debian new has 3:5.1.2-1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Jammy Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### python-django (3:4.2.16-1) unstable; urgency=high * New upstream security release: - CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize(). urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. - CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. * Bump Standards-Version to 4.7.0. -- Chris Lamb <[email protected]> Tue, 03 Sep 2024 17:31:33 +0100 python-django (3:4.2.15-1) unstable; urgency=high * New upstream security release. (Closes: #1078074) - CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. - CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. - CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. - CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. <https://www.djangoproject.com/weblog/2024/aug/06/security- releases/> -- Chris Lamb <[email protected]> Tue, 06 Aug 2024 16:59:24 +0100 python-django (3:4.2.14-1) unstable; urgency=medium * New upstream security release. (Closes: #1076069) - CVE-2024-38875: Prevent a potential denial-of-service in django.utils.html.urlize. This method (and urlizetrunc) were subject to a potential DoS attack via specially-crafted inputs with a very large number of brackets. - CVE-2024-39329: Avoid a username enumeration vulnerability through timing difference for users with unusable password. The authenticate method of django.contrib.auth.backends.ModelBackend method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. - CVE-2024-39330: Address a potential directory-traversal in django.core.files.storage.Storage.save. Derived classes of this method's base class which override generate_filename without replicating the file path validations existing in the parent class allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. - CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters. <https://www.djangoproject.com/weblog/2024/jul/09/security- releases/> -- Chris Lamb <[email protected]> Wed, 10 Jul 2024 09:50:49 +0100 python-django (3:4.2.13-1) unstable; urgency=medium * New upstream bugfix releases. <https://docs.djangoproject.com/en/5.0/releases/4.2.12/> <https://docs.djangoproject.com/en/5.0/releases/4.2.13/> -- Chris Lamb <[email protected]> Wed, 08 May 2024 11:28:44 +0100 python-django (3:4.2.11-1) unstable; urgency=high * New upstream security release: ### Old Ubuntu Delta ### python-django (3:4.2.15-1ubuntu1) oracular; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2024-45230.patch: mitigate potential DoS in urlize and urlizetrunc template filters in django/utils/html.py, tests/template_tests/filter_tests/test_urlize.py, tests/utils_tests/test_html.py. - CVE-2024-45230 * SECURITY UPDATE: User email enumeration - debian/patches/CVE-2024-45231.patch: avoid server error on password reset when email sending fails in django/contrib/auth/forms.py, tests/auth_tests/test_forms.py, tests/mail/custombackend.py. - CVE-2024-45231 -- Leonidas Da Silva Barbosa <[email protected]> Tue, 27 Aug 2024 10:25:18 -0300 ** Affects: python-django (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: python-django (Ubuntu) Milestone: None => ubuntu-24.12 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2085273 Title: Merge python-django from Debian unstable for jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/2085273/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
