This bug was fixed in the package python-django - 3:5.2.4-1
---------------
python-django (3:5.2.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2025/jul/02/bugfix-releases/>
-- Chris Lamb <[email protected]> Mon, 07 Jul 2025 10:29:43 -0700
python-django (3:5.2.3-1) experimental; urgency=medium
* New upstream bugfix release.
<https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/>
-- Chris Lamb <[email protected]> Tue, 10 Jun 2025 08:53:25 -0700
python-django (3:5.2.2-1) experimental; urgency=medium
* New upstream security release:
- CVE-2025-48432: Potential log injection via unescaped request
path.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
Although this does not directly impact Django's security model, it poses
risks when logs are consumed or interpreted by other tools. To fix this,
the internal django.utils.log.log_response() function now escapes all
positional formatting arguments using a safe encoding.
(Closes: #1107282)
<https://www.djangoproject.com/weblog/2025/jun/04/security-
releases/>
-- Chris Lamb <[email protected]> Wed, 04 Jun 2025 08:09:36 -0700
python-django (3:5.2.1-1) experimental; urgency=medium
* New upstream security release:
- CVE-2025-32873: Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
(Closes: #1104872)
<https://www.djangoproject.com/weblog/2025/may/07/security-
releases/>
-- Chris Lamb <[email protected]> Wed, 07 May 2025 09:27:26 -0700
python-django (3:5.2-1) experimental; urgency=medium
* New upstream stable release.
<https://www.djangoproject.com/weblog/2025/apr/02/django-52-released/>
* Bump Standards-Version to 4.7.2.
-- Chris Lamb <[email protected]> Fri, 04 Apr 2025 09:58:15 -0700
python-django (3:5.2~rc1-1) experimental; urgency=medium
* New upstream release candidate.
<https://www.djangoproject.com/weblog/2025/mar/19/django-52-rc1/>
-- Chris Lamb <[email protected]> Wed, 19 Mar 2025 12:04:42 +0000
python-django (3:5.2~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2025/feb/19/django-52-beta-1-released/>
* Refresh patches.
-- Chris Lamb <[email protected]> Wed, 19 Feb 2025 11:41:40 +0000
python-django (3:5.2~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2025/jan/16/django-52-alpha-1-released/>
* Refresh patches.
-- Chris Lamb <[email protected]> Thu, 16 Jan 2025 14:26:59 +0000
python-django (3:5.1.5-1) experimental; urgency=high
* New upstream security release. (Closes: #1093049)
- CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation.
A lack of upper bound limit enforcement in strings passed when performing
IPv6 validation could have led to a potential denial-of-service (DoS)
attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField
form field, which has now been updated to define a max_length of 39
characters. The GenericIPAddressField model field was not affected.
<https://www.djangoproject.com/weblog/2025/jan/14/security-
releases/>
-- Chris Lamb <[email protected]> Wed, 15 Jan 2025 17:48:05 +0000
python-django (3:5.1.4-1) experimental; urgency=medium
* New upstream security release:
- CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
- CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle
Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle
was subject to SQL injection if untrusted data is used as a lhs value.
Applications that use the jsonfield.has_key lookup through the __ syntax
are unaffected.
<https://www.djangoproject.com/weblog/2024/dec/04/security-
releases/>
-- Chris Lamb <[email protected]> Wed, 04 Dec 2024 16:55:05 +0000
python-django (3:5.1.3-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/5.1/releases/5.1.3/>
* Refresh patches.
-- Chris Lamb <[email protected]> Tue, 05 Nov 2024 07:14:42 -0800
python-django (3:5.1.2-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/5.1/releases/5.1.2/>
-- Chris Lamb <[email protected]> Tue, 08 Oct 2024 09:56:10 -0700
python-django (3:5.1.1-1) experimental; urgency=high
* New upstream security release:
- CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
- CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset requests and
observing the outcomes. To mitigate this risk, exceptions occurring
during password reset email sending are now handled and logged using the
django.contrib.auth logger.
* Bump Standards-Version to 4.7.0.
-- Chris Lamb <[email protected]> Tue, 03 Sep 2024 17:25:15 +0100
python-django (3:5.1-1) experimental; urgency=medium
* New upstream 5.1 release.
<https://www.djangoproject.com/weblog/2024/aug/07/django-51-released/>
-- Chris Lamb <[email protected]> Wed, 07 Aug 2024 16:14:05 +0100
python-django (3:5.1~rc1-1) experimental; urgency=medium
* New upstream 5.1 release candidate.
<https://www.djangoproject.com/weblog/2024/jul/24/django-51-rc1/>
-- Chris Lamb <[email protected]> Thu, 25 Jul 2024 11:33:24 +0100
python-django (3:5.1~beta1-1) experimental; urgency=medium
* New upstream beta release.
<https://www.djangoproject.com/weblog/2024/jun/26/django-51-beta-1-released/>
* Add pybuild-plugin-pyproject to Build-Depends.
-- Chris Lamb <[email protected]> Wed, 26 Jun 2024 10:15:54 -0700
python-django (3:5.1~alpha1-1) experimental; urgency=medium
* New upstream experimental alpha release.
<https://www.djangoproject.com/weblog/2024/may/22/django-51-alpha-1-released/>
* Refresh patches.
-- Chris Lamb <[email protected]> Thu, 23 May 2024 10:48:03 +0100
python-django (3:5.0.6-1) experimental; urgency=medium
* New upstream bugfix release, incorporating changes from 5.0.5 as well.
<https://docs.djangoproject.com/en/5.0/releases/5.0.5/>
<https://docs.djangoproject.com/en/5.0/releases/5.0.6/>
-- Chris Lamb <[email protected]> Wed, 08 May 2024 11:12:00 +0100
python-django (3:5.0.4-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/dev/releases/5.0.4/>
-- Chris Lamb <[email protected]> Thu, 04 Apr 2024 10:07:42 +0100
python-django (3:5.0.3-1) experimental; urgency=medium
* New upstream security release:
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665.
<https://docs.djangoproject.com/en/dev/releases/5.0.3/>
-- Chris Lamb <[email protected]> Tue, 05 Mar 2024 12:37:11 +0000
python-django (3:5.0.2-1) experimental; urgency=medium
* New upstream security release:
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.
<https://docs.djangoproject.com/en/dev/releases/5.0.2/>
-- Chris Lamb <[email protected]> Tue, 06 Feb 2024 08:08:50 -0800
python-django (3:5.0.1-1) experimental; urgency=medium
* New upstream bugfix release.
<https://docs.djangoproject.com/en/dev/releases/5.0.1/>
-- Chris Lamb <[email protected]> Wed, 03 Jan 2024 11:07:26 +0000
python-django (3:5.0-1) experimental; urgency=medium
* New upstream stable release.
https://docs.djangoproject.com/en/5.0/releases/5.0/
-- Chris Lamb <[email protected]> Thu, 07 Dec 2023 12:52:28 +0000
python-django (3:5.0~rc1-1) experimental; urgency=medium
* New upstream RC1 release.
<https://www.djangoproject.com/weblog/2023/nov/20/django-50-rc1/>
-- Chris Lamb <[email protected]> Tue, 21 Nov 2023 08:43:43 +0000
python-django (3:5.0~alpha1-1) experimental; urgency=medium
* New upstream alpha release.
<https://www.djangoproject.com/weblog/2023/sep/18/django-50-alpha-1-released/>
* Refresh patches.
-- Chris Lamb <[email protected]> Tue, 19 Sep 2023 11:09:34 -0700
** Changed in: python-django (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14232
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43665
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24680
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27351
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45230
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45231
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53907
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53908
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56374
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-32873
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-48432
** Changed in: python-django (Ubuntu)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2110437
Title:
Merge python-django from Debian Unstable for questing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2110437/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
