[Git][security-tracker-team/security-tracker][master] Reserve DLA-3191-1 for python-django

Thu Nov 17 09:49:57 GMT 2022


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c3c17135 by Chris Lamb at 2022-11-17T09:49:30+00:00
Reserve DLA-3191-1 for python-django

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -63567,7 +63567,6 @@ CVE-2022-23834
 CVE-2022-23833 (An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27 ...)
 	{DSA-5254-1 DLA-2906-1}
 	- python-django 2:3.2.12-1 (bug #1004752)
-	[buster] - python-django <no-dsa> (Minor issue)
 	NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
 	NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main)
 	NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2)
@@ -67192,7 +67191,6 @@ CVE-2022-22819 (NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64,
 CVE-2022-22818 (The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3 ...)
 	{DSA-5254-1 DLA-2906-1}
 	- python-django 2:3.2.12-1 (bug #1004752)
-	[buster] - python-django <no-dsa> (Minor issue)
 	NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
 	NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main)
 	NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2)
@@ -71367,7 +71365,6 @@ CVE-2021-45453
 CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...)
 	- python-django 2:3.2.11-1 (bug #1003113)
 	[bullseye] - python-django 2:2.2.26-1~deb11u1
-	[buster] - python-django <postponed> (Minor issue; fix in next update)
 	[stretch] - python-django <postponed> (Minor issue; fix in next update)
 	NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
 	NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Nov 2022] DLA-3191-1 python-django - security update
+	{CVE-2021-45452 CVE-2022-22818 CVE-2022-23833}
+	[buster] - python-django 1:1.11.29-1+deb10u4
 [16 Nov 2022] DLA-3190-1 grub2 - security update
 	{CVE-2022-2601 CVE-2022-3775}
 	[buster] - grub2 2.06-3~deb10u2


=====================================
data/dla-needed.txt
=====================================
@@ -296,18 +296,6 @@ protobuf
 puppet-module-puppetlabs-mysql
   NOTE: 20221107: Programming language: Puppet, Ruby.
 --
-python-django (Chris Lamb)
-  NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster.
-  NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby)
-  NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby)
-  NOTE: 20221027: To clarify, only the first CVE mentioned in the previous comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other seven have already been fixed in stretch. I plan to fix these remaining 1 CVE and release (with 5 total CVEs) instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby)
-  NOTE: 20221031: Programming language: Python.
-  NOTE: 20221031: VCS: https://salsa.debian.org/python-team/modules/python-django.git
-  NOTE: 20221031: Special attention: Chris Lamb is the maintainer.
-  NOTE: 20221103: Re-added pre-20221031 comments from Git and reclaimed; will upload at least CVE-2022-28346 soon. (lamby)
-  NOTE: 20221104: Uploaded with three more CVEs: CVE-2022-28346  CVE-2021-45115 CVE-2021-45116 (lamby)
-  NOTE: 20221115: Will upload shortly with CVE-2021-44420, CVE-2021-45452, CVE-2022-22818 & CVE-2022-23833 (lamby)
---
 qemu
   NOTE: 20221108: Programming language: C.
   NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch,



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3c17135ff416e0b0ac61a121e8c200c91efaf58

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3c17135ff416e0b0ac61a121e8c200c91efaf58
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221117/54037207/attachment-0001.htm>
