Chris Lamb wrote: > I will wait a few days to see what upstream says. I will also have to > re-release for jessie LTS, alas.
Okay, this is now fixed in the following versions (without and with the regression fix): Distribution Upload with regression Upload with regression fixed ======================================================================== jessie 1.7.11-1+deb8u9 1.7.11-1+deb8u10 stretch n/a 1:1.10.7-2+deb9u9 (pending) buster n/a 1:1.11.29-1~deb10u1 (pending) unstable 2:2.2.13-1 2:2.2.13-2 experimental 2:3.0.7-1 2:3.0.7-2 ======================================================================== The two pending uploads (ie. needing your approval) to upload are: python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high * CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb <la...@debian.org> Sat, 13 Jun 2020 15:47:14 +0100 and python-django (1:1.11.29-1~deb10u1) buster-security; urgency=high * New upstream security release (postponed from March 2020): - CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Note that Django 1.11.x left upstream's extended security support on April 1st 2020. For more information, please see: https://www.djangoproject.com/download/ * This upload also fixes the following security issues: - CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. - CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb <la...@debian.org> Sun, 14 Jun 2020 12:15:26 +0100 The full debdiffs are attached. Can you especially check the versioning scheme and distribution fields for me? I often get this wrong and end up confusing myself. Really appreciated. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-