Package: python-django Version: 1:1.10.7-2+deb9u15 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for python-django. CVE-2022-28346[0]: | An issue was discovered in Django 2.2 before 2.2.28, 3.2 before | 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and | extra() methods are subject to SQL injection in column aliases via a | crafted dictionary (with dictionary expansion) as the passed **kwargs. There was another CVE as part of this release: https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ However, the CVE in question (CVE-2022-28347), does not apply in buster, stretch or jessie; the .explain(...) functionality was added later versions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-28346 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-