Package: python-django Version: 1:1.10.7-2+deb9u14 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django: * CVE-2022-22818: Possible XSS via {% debug %} template tag The {% debug %} template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True. * CVE-2022-23833: Denial-of-service possibility in file uploads Passing certain inputs to multipart forms could result in an infinite loop when parsing files. This issue has severity "medium" according to the Django security policy. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-22818 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818 [1] https://security-tracker.debian.org/tracker/CVE-2022-23833 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-