Your message dated Tue, 01 Feb 2022 17:49:41 +0000
with message-id <[email protected]>
and subject line Bug#1004752: fixed in python-django 2:3.2.12-1
has caused the Debian Bug report #1004752,
regarding python-django: CVE-2022-22818 CVE-2022-23833
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1004752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004752
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 1:1.10.7-2+deb9u14
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
* CVE-2022-22818: Possible XSS via {% debug %} template tag
The {% debug %} template tag didn't properly encode the current
context, posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all
context variables are correctly escaped when the DEBUG setting is
True.
* CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
This issue has severity "medium" according to the Django security policy.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
[1] https://security-tracker.debian.org/tracker/CVE-2022-23833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 2:3.2.12-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Feb 2022 09:28:58 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.12-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1004752
Changes:
python-django (2:3.2.12-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
Checksums-Sha1:
cdc813e579d51018d8416c449d14219479d931c2 2807 python-django_3.2.12-1.dsc
93f6c3f0fd89f5c5a44dee688e752a258900a54e 9812448
python-django_3.2.12.orig.tar.gz
8f3bfe43385673b8ae937169c395c5dfba8de2fb 35060
python-django_3.2.12-1.debian.tar.xz
d215015572a9dd6e89c8a97b30fb63f9692033db 8089
python-django_3.2.12-1_amd64.buildinfo
Checksums-Sha256:
c33aa89544c0b0a5971df3cb18f1fd1deb9ed41035cade5364cda7f3f7f956cc 2807
python-django_3.2.12-1.dsc
9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2 9812448
python-django_3.2.12.orig.tar.gz
7f1bf88141e5e9e06cbf1bc60606ed53b6cb629c384a3dde5a0068aa46eb3591 35060
python-django_3.2.12-1.debian.tar.xz
b99d78aab5699dbd4b57bdc704c4d980118b2df22b303d35d033741e67698a62 8089
python-django_3.2.12-1_amd64.buildinfo
Files:
350062ea51fb57ddd8a0b72744d808ef 2807 python optional
python-django_3.2.12-1.dsc
1847b2f286930a9d84e820a757e3a7ec 9812448 python optional
python-django_3.2.12.orig.tar.gz
eedef8404056d75832230ebd4d3e2f30 35060 python optional
python-django_3.2.12-1.debian.tar.xz
77bdb2ee3e8039c7c7b724a99231a894 8089 python optional
python-django_3.2.12-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmH5b2kACgkQHpU+J9Qx
HljlFA/+Mlty1sgR7gMekexDmjhXvQEUCfai7Soe42wE1IRTtl2FUh4MKofvQBnp
rY9Fsb9cI2mQgPPHA0/X8uBM5J5L+Izf+Jvs6rBcTuWtMgGll9meu9K+fRWDiPWS
1U9RDqphuEaiE008fe7GRpu5p5JdrCFGpVbIE4QteYZcxSCbhQ7Gtku30OpBAPgu
oLTY+hB8JbCCXTpgasdtkuMyoFv2BhYC07NfVew8j0coA8+JFEJbk4yohXReKZYX
CFc8zBMfVUFAcesrjEv6wTteyZ32ZYsQcsUOlTQlAdRrIcGp4+tHP81Xvoe11a1i
h8KZIAbLMYjD5X119U49T5/idZxcngfai1wPqDFbyk5KFJ0EU1QqTq7Cqr2XJsto
Gg5RcMKHy6mM6Q+h7pexUj5Vz5HAz031KUurTKmj56suySMFYbW8UZyvB2gMbjiS
GBJxornAyccac/urRj7+SXzouPeWp/ekuEsZkk69p2QDzSjmgpKVBaOnCpHmoLxG
IzAlZX3i+SX14AWM1SVezdSfFXU51lV4LjlH9/+I8k4q+3Ud9FSeQ9gqRPyO0hVx
bCSfnouCgXp6DXoms+nmtKuN4smvJF4xMUwr5T6SiayDGHiP8eQ+uGhejFmb9lvN
hWkxT7JlpZNIbZ8RQOBGGNuDEn5iXcEiarrY5nnFmN0cORqLouo=
=2XVi
-----END PGP SIGNATURE-----
--- End Message ---