Package: python-django Version: 1:1.10.7-2+deb9u14 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django: * CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator [0] UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. * CVE-2021-45116: Potential information disclosure in dictsort template filter [1] Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. * CVE-2021-45452: Potential directory-traversal via Storage.save() [2] Storage.save() allowed directory-traversal if directly passed suitably crafted file names. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45115 [1] https://security-tracker.debian.org/tracker/CVE-2021-45116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45116 [2] https://security-tracker.debian.org/tracker/CVE-2021-45452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45452 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-