Package: python-django Version: 1:1.10.7-2+deb9u17 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for python-django. CVE-2022-34265 [0]: | An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before | 4.0.6. The Trunc() and Extract() database functions are subject to SQL | injection if untrusted data is used as a kind/lookup_name value. | Applications that constrain the lookup name and kind choice to a known | safe list are unaffected. This affects: * stretch (1:1.10.7-2+deb9u17) * buster (1:1.11.29-1~deb10u1) * bookworm (2:3.2.13-1) sid was already fixed in 2:4.0.6-1 and jessie is unaffected as Trunc(...) and Extract(...) support was added later. Let me know if you'd like me to prepare updates for any of stretch, buster & bookworm. [0] https://security-tracker.debian.org/tracker/CVE-2022-34265 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-