-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3177-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb November 04, 2022 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python-django Version : 1:1.11.29-1+deb10u3 CVE IDs : CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 Debian Bugs : 1003113 1009677 It was discovered that there were multiple vulnerabilies in Django, a popular Python-based development framework: * CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. * CVE-2021-45115: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. * CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u3. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNlIy4ACgkQHpU+J9Qx HliSmg/9GZlabVCe4zfToSsNXh8c9xrlUXnv6o2zkNRUxIlCIAmMlrZoo6qzfCsA yZ40ADF63HwKfv0Obu3qHeqpXQmOG69qh0zj7NrZFOaApCcvAwceehnfRgnFQ7Jx IbOu5RC+DXcbHV3zm5PiJ5GkOJp2pjTCgOHsIENvuLJBnzS1WDvXJuXbtP++8pe9 7c7mFihXmjNCMNVqePs0IvHRXJj56ml6GDSclE4d2kj9PotvkhO7W8K7Wawnj/in sS4MUrKaRlnRejVV3jdTw/O2B7tgnwbqRTscMzEEN2/tp9j9vEYwK+6ahcMmBOAs FCZTYrAmsbWFX+72uFZUfbMvt+l+VtceNKpgfvPVL3i324iWw3Wpr1qByxkcp9PF QW6WdL0Izd4fINZ8Ifw+9TQH2fBcnQv6qod6T6X1Kdu3L3Ty7wx+d6J6yeku6usE EdeQXw2akLFYELTmywmLQVmyIIPyolaic5MWaSsJ74BYvZBoCaTvnU2LeOB5W4OS rXU6smXcY0x8nJoBc/sMA4NqYSGEKsZvox/6Oqn0cJJik1G9g5sYoxkkfolAXkzE 09dc6qjQDLUs89gip9vR6du0QaYxAAqfSuDZh+L4rvYOyZu9pynMQ+XTlpTyVMzm UH9PCp3qcG0GVIq4ijYAlDffIslgQd6abDx4GGPaYdUuDsEifBY= =gDZI -----END PGP SIGNATURE-----