Your message dated Tue, 01 Feb 2022 17:34:19 +0000
with message-id <e1nex2p-000ei7...@fasolo.debian.org>
and subject line Bug#1004752: fixed in python-django 2:4.0.2-1
has caused the Debian Bug report #1004752,
regarding python-django: CVE-2022-22818 CVE-2022-23833
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1004752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004752
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1:1.10.7-2+deb9u14
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
* CVE-2022-22818: Possible XSS via {% debug %} template tag
The {% debug %} template tag didn't properly encode the current
context, posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all
context variables are correctly escaped when the DEBUG setting is
True.
* CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
This issue has severity "medium" according to the Django security policy.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
[1] https://security-tracker.debian.org/tracker/CVE-2022-23833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 2:4.0.2-1
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Feb 2022 09:02:51 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:4.0.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1004752
Changes:
python-django (2:4.0.2-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
.
- CVE-2022-23833: Denial-of-service possibility in file uploads
.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
for more information. (Closes: #1004752)
Checksums-Sha1:
cb621803e4a3e97e3db99d851200c23beaf88dea 2779 python-django_4.0.2-1.dsc
b671dd5cb40814abb89953ce63db872036a7fb77 9996300
python-django_4.0.2.orig.tar.gz
499cb39ae4033db321146b3f5c509402b6c22e8b 28412
python-django_4.0.2-1.debian.tar.xz
5914b45c9d9266cef6a9b6b3e9b62dced517df84 7915
python-django_4.0.2-1_amd64.buildinfo
Checksums-Sha256:
2cb44bdc787fa5e1f62d083e1a113766162776e347e383fbe3e68807a23c2466 2779
python-django_4.0.2-1.dsc
110fb58fb12eca59e072ad59fc42d771cd642dd7a2f2416582aa9da7a8ef954a 9996300
python-django_4.0.2.orig.tar.gz
66f94f095098474d44f0c1dd6b9afd56b0bbfd91921a89013991dc7e21a154b9 28412
python-django_4.0.2-1.debian.tar.xz
dc2262bbf83657847dcd207de5b7c07899700b01ce2ea4d758c509a73984924f 7915
python-django_4.0.2-1_amd64.buildinfo
Files:
e16dcb04ec2b0b5b9e4063348922a71b 2779 python optional python-django_4.0.2-1.dsc
a86339c0e87241597afa8744704d9965 9996300 python optional
python-django_4.0.2.orig.tar.gz
1fef93dd00604da057ccb2dfde4fb03b 28412 python optional
python-django_4.0.2-1.debian.tar.xz
4962f09548b1dc07a0cf1c78869d7c4b 7915 python optional
python-django_4.0.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmH5bPYACgkQHpU+J9Qx
Hljlrg/+LTMdi+/Jy00di92VV26fKAQUn4fqApJA9o9KSk9O4fBWR3dUkuWIT16T
1J9UrQDPvYvJIlf13baQSKnLgxPZtSH+wjDBCVOtxC/XNdxiQ7GnpDmmnAOpQgX1
3dVGpe3NmTx06HnwdlVTqzLIwLw1jBXG1aSk+bUal7NEfIc5wmUQcOLdT+4fOLo5
G3p0TmnnreWpWXvB6m2fPwT7wDvZdZ+MaRY8eK4WOOnZD04xAktBRIYWTGZlo78r
HbvBkTQaWSv908nDwS/d2MEQo52u1xJCOM68zv1oGL8cgs8rJiplgLCiL2dLDXzF
CnQkn9HJXsqrSJSgO8Vt4RObN3aOzmcp79SF5Kqye6OSaYt42v9nzR82zSGv67JX
Ue2bXcItXSl2zWrApDOefR+sCTkZfXB/3iBCDoRQezFqZJUXyALjIxz/r0o0ZTLv
md9j67v9bJdp3WGrbOLe2cf09FuW6bsVm2Zq8C6fetliddTv7wao4SrniQAexm0B
WmseI2DXWQusSXr+/AWOdkZT5itf35X0apuvvqcBQbbaDqW+EJFhiSkmZyS43/6N
aZBabu5JisNHZ/6wsIn6tiBcLOFHvUFHynNYf/SZ9C0X7CZkooUOkDiOcbWvpJw0
aM/3aAq+gvkkWMD3c9SXhZ/sCn3XMKPhsiOvEC8QhyHvT6iTnDw=
=usbx
-----END PGP SIGNATURE-----
--- End Message ---
