Hi Chris, On Thu, Feb 25, 2021 at 04:42:55PM +0000, Chris Lamb wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Dear stable release managers, > > Please consider python-django (1:1.11.29-1+deb10u1) for buster: > > python-django (1:1.11.29-1+deb10u1) buster; urgency=high > . > * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter > cloaking". Django contains a copy of urllib.parse.parse_qsl() which was > added to backport some security fixes. A further security fix has been > issued recently such that parse_qsl() no longer allows using ";" as a > query parameter separator by default. (Closes: #983090) > . > For more information, please see: > . > https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
There are as well yet open other issues (which similarly do not warrant a DSA), CVE-2021-3281, CVE-2020-24583 and CVE-2020-24584. Can you add fixes for those as well? > The full diff is attached. The security team believe this should go > via s-p-u rather than via a DLA (if at all): > > https://bugs.debian.org/983090#27 > > Please double-check the version number for me. The current version in > buster-security is 1:1.11.29-1~deb10u1 (with a tilde). The version should IMHO be still smaller as 1:1.11.29-1 but incremented, so I would use 1:1.11.29-1~deb10u2, as it is patched with respect to 1:1.11.29-1~deb10u1. Regards, Salvatore
