Public bug reported: Upstream: tbd Debian: 3:4.2.11-1 3:5.0.4-1 Ubuntu: 3:4.2.11-1ubuntu1
Debian new has 3:5.0.4-1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### python-django (3:4.2.11-1) unstable; urgency=high * New upstream security release: - CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665. <https://docs.djangoproject.com/en/dev/releases/4.2.11/> -- Chris Lamb <la...@debian.org> Tue, 05 Mar 2024 13:03:35 +0000 python-django (3:4.2.10-1) unstable; urgency=high * New upstream security release: - CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. <https://docs.djangoproject.com/en/dev/releases/4.2.10/> -- Chris Lamb <la...@debian.org> Tue, 06 Feb 2024 08:15:25 -0800 python-django (3:4.2.9-1) unstable; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/dev/releases/4.2.9/> -- Chris Lamb <la...@debian.org> Wed, 03 Jan 2024 11:15:04 +0000 python-django (3:4.2.8-1) unstable; urgency=medium * New upstream bugfix release. <https://docs.djangoproject.com/en/5.0/releases/4.2.8/> -- Chris Lamb <la...@debian.org> Thu, 07 Dec 2023 13:05:03 +0000 python-django (3:4.2.6-1) unstable; urgency=high * New upstream security release. - CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator. Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues. <https://www.djangoproject.com/weblog/2023/oct/04/security- releases/> -- Chris Lamb <la...@debian.org> Thu, 05 Oct 2023 09:17:06 +0200 python-django (3:4.2.5-2) unstable; urgency=medium * Upload 4.2.x branch to unstable with a -2 suffix to prevent collision with previous upload of 3:4.2.5-1 to experimental. -- Chris Lamb <la...@debian.org> Sun, 24 Sep 2023 13:52:16 -0700 python-django (3:3.2.21-1) unstable; urgency=high * New upstream security release: - CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri(). This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (Closes: #1051226) <https://www.djangoproject.com/weblog/2023/sep/04/security- releases/> * Refresh patches. -- Chris Lamb <la...@debian.org> Mon, 04 Sep 2023 11:02:53 -0700 python-django (3:3.2.20-1.1) unstable; urgency=high [ Gianfranco Costamagna ] * Non-maintainer upload. [ Graham Inggs ] * Cherry-pick upstream commit to fix URLValidator crash in some edge cases (LP: #2025155, Closes: #1037920) -- Gianfranco Costamagna <locutusofb...@debian.org> Tue, 04 Jul 2023 09:31:10 +0200 ### Old Ubuntu Delta ### python-django (3:4.2.11-1ubuntu1) noble; urgency=medium * d/p/fix-mail-using-utf-8-surrogateescape.patch: Fix SafeMIMEText.set_payload() crash using python 3.12.3 -- Lena Voytek <lena.voy...@canonical.com> Tue, 16 Apr 2024 12:25:28 -0700 ** Affects: python-django (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: python-django (Ubuntu) Milestone: None => ubuntu-24.06 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064448 Title: Merge python-django from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/2064448/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
