Your message dated Thu, 20 Oct 2022 20:42:38 +0000
with message-id <e1olcnc-004dl3...@fasolo.debian.org>
and subject line Bug#1004752: fixed in python-django 2:2.2.28-1~deb11u1
has caused the Debian Bug report #1004752,
regarding python-django: CVE-2022-22818 CVE-2022-23833
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1004752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004752
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1:1.10.7-2+deb9u14
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
* CVE-2022-22818: Possible XSS via {% debug %} template tag
The {% debug %} template tag didn't properly encode the current
context, posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all
context variables are correctly escaped when the DEBUG setting is
True.
* CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
This issue has severity "medium" according to the Django security policy.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
[1] https://security-tracker.debian.org/tracker/CVE-2022-23833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 2:2.2.28-1~deb11u1
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Oct 2022 10:02:41 -0700
Source: python-django
Binary: python-django-doc python3-django
Architecture: source all
Version: 2:2.2.28-1~deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description:
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework
Closes: 1004752 1009677 1014541
Changes:
python-django (2:2.2.28-1~deb11u1) bullseye-security; urgency=medium
.
* New upstream security release:
<https://docs.djangoproject.com/en/4.0/releases/2.2.28/>
.
- CVE-2022-28346: Prevent a potential SQL injection in QuerySet.annotate(),
aggregate() and extra(). These methods were subject to SQL injection in
column aliases. (Closes: #1009677)
.
- CVE-2022-28347: Prevent a SQL injection attack via
QuerySet.explain(**options) when using the PostgreSQL database.
QuerySet.explain() method was subject to SQL injection in option names.
(Closes: #1009677)
.
* Incorporates changes from previous 2.2.27 security release:
<https://docs.djangoproject.com/en/4.0/releases/2.2.27/>
.
- CVE-2022-22818: Prevent a possible XSS vulnerability via the {% debug %}
template tag. This tag didn't correctly encode the current context,
posing an XSS attack vector. In order to avoid this vulnerability, {%
debug %} no longer outputs information when the DEBUG setting is False,
and it ensures all context variables are correctly escaped when the
DEBUG setting is True. (Closes: #1004752)
.
- CVE-2022-23833: Prevent a denial-of-service opportunity in file uploads.
Passing certain inputs to multipart forms could result in an infinite
loop when parsing files. (Closes: #1004752)
.
* Additionally backport the following patches from upstream:
.
- CVE-2022-34265: Prevent an issue with the Trunc() and Extract() database
functions which were potentially subject to SQL injection if untrusted
data was used as a kind/lookup_name value. Applications that constrain
the lookup name and kind choice to a known safe list were unaffected by
this vulnerability. (Closes: #1014541)
.
- CVE-2022-36359: Fix a reflected file download (RFD) attack that could be
exploited if the application sets the Content-Disposition header of a
FileResponse derived from user-supplied input.
.
- CVE-2022-41323: Prevent a potential denial-of-service vulnerability in
internationalised URLs that was exploitable via the "locale" parameter.
This is now escaped to avoid this possibility.
Checksums-Sha1:
9cddce1870db7624f6e9b8cdcf98653eec45d41d 2811
python-django_2.2.28-1~deb11u1.dsc
0661bddaeca016d84abc4c808c1c677cd7d4aa7b 9187543
python-django_2.2.28.orig.tar.gz
b78623bbfa58f320c83472c8a8ef2c0b66a03e09 31420
python-django_2.2.28-1~deb11u1.debian.tar.xz
45c5ff3bd4c47eca4fe153b91d7cd36f39a38b03 3180904
python-django-doc_2.2.28-1~deb11u1_all.deb
a07943d495cd7b90db6c3312bffb2f701da61557 13889
python-django_2.2.28-1~deb11u1_amd64.buildinfo
c4452496092e117a41a7f7a69dbad62c41ab665d 2684524
python3-django_2.2.28-1~deb11u1_all.deb
Checksums-Sha256:
60f516ebc4090d52fea1603e35bed69a4b20276d3ec67d33af14ccee7c8c692b 2811
python-django_2.2.28-1~deb11u1.dsc
0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413 9187543
python-django_2.2.28.orig.tar.gz
fdd1152d77b4e4ddeeabf570f101facb17f29c25600ea124d1972bccbfaf9a38 31420
python-django_2.2.28-1~deb11u1.debian.tar.xz
098509e19f190d4944e6a0ffb85056c8269b91e672981efb72513473d397f17c 3180904
python-django-doc_2.2.28-1~deb11u1_all.deb
2ae3aa1df653b2b7263cc3cff665565c5278a68a117220d66cb7318b864eaeeb 13889
python-django_2.2.28-1~deb11u1_amd64.buildinfo
0df5e64763f7ec5c6023cb5b7d0df1136b0573735db30ab3d5a1f723ae2520e7 2684524
python3-django_2.2.28-1~deb11u1_all.deb
Files:
1bded5ba447331b41628246ab0830184 2811 python optional
python-django_2.2.28-1~deb11u1.dsc
62550f105ef66ac7d08e0126f457578a 9187543 python optional
python-django_2.2.28.orig.tar.gz
a21053bbb107df253aabfe9afee729e2 31420 python optional
python-django_2.2.28-1~deb11u1.debian.tar.xz
2f3eaf451296f52b24342a687011f279 3180904 doc optional
python-django-doc_2.2.28-1~deb11u1_all.deb
b3262db3c110b64f59e87aab36999543 13889 python optional
python-django_2.2.28-1~deb11u1_amd64.buildinfo
6e0a9e69aa96b9fa74fd0f99e98854f5 2684524 python optional
python3-django_2.2.28-1~deb11u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNJticACgkQHpU+J9Qx
HlgqQBAAnn8Wdktc4ctzmqkoYXPl24oj6gBGJSXBfwXSaz5Z80FEovL9U37RBBC8
UyFlwt4VVqq1wgMgYhP0ubxSh2w2XeO27Q28iIULtCzt/z7S88ZyQGurYBz99+7/
++AbirEK4nqjlUo02Nl4GJnzPPnjl+dIbw1e9njeDG+6lZ7MW07bUUf8+PJ+nkhA
owDdM5+ozOayW1Y9u3rhqw0X501DK1jAb93SuhJTxkTm7ISp+hnvj7ZNzIG5e1n7
AWE4xc1UpFXMYwP1NShbppBDOx0HG9wyqGZ34kuEgQZJeGQm1RHqlTg1xIgJ8rz7
FBYOUHqan1VUvs0pfq5hjTt5/DpRu7IGEapw+jAcNMP7zTlqDBD3lhrUUkzOqsRk
mcEOByaltcMQs+OfQH/C/Hi2c8C+kA1Ztpwpp3Bc3wXDqcLJn3onziDg8gsSrYbY
y2IAqdmTxdp/fvzNVQuep3GKzMifeqycnubXjyQU6Muyl7CofT5IQpLHpgRj7aCq
NQEYjhKgU2eTzmQMT2XvV5Ou2tQT37OftmpH1r+yq2f+ADLolL+6Oe3uoirnnJBm
BGwWwT8n7peqSqNt/oqc80mjSlKwXlBsY0f+Z1jJlXGxmnN+ckX/m34GvyrNbWqI
O9towxUvN9f9TyhT0twSGIvs2b46QOKqRy2JBcd4Pfs6Pybqo88=
=kczC
-----END PGP SIGNATURE-----
--- End Message ---
