[Python-modules-team] python-django_1.10.7-2+deb9u6_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Wed Aug 14 19:47:47 BST 2019 


Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Aug 2019 10:42:49 +0100
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u6
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby at debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 934026
Changes:
 python-django (1:1.10.7-2+deb9u6) stretch-security; urgency=high
 .
   * Backport four security patches from upstream. (Closes: #934026)
     <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
 .
     - CVE-2019-14232: Denial-of-service possibility in
       django.utils.text.Truncator
 .
       If django.utils.text.Truncator's chars() and words() methods were passed
       the html=True argument, they were extremely slow to evaluate certain
       inputs due to a catastrophic backtracking vulnerability in a regular
       expression. The chars() and words() methods are used to implement the
       truncatechars_html and truncatewords_html template filters, which were
       thus vulnerable.
 .
       The regular expressions used by Truncator have been simplified in order
       to avoid potential backtracking issues. As a consequence, trailing
       punctuation may now at times be included in the truncated output.
 .
     - CVE-2019-14233: Denial-of-service possibility in strip_tags()
 .
       Due to the behavior of the underlying HTMLParser,
       django.utils.html.strip_tags() would be extremely slow to evaluate
       certain inputs containing large sequences of nested incomplete HTML
       entities. The strip_tags() method is used to implement the corresponding
       striptags template filter, which was thus also vulnerable.
 .
       strip_tags() now avoids recursive calls to HTMLParser when progress
       removing tags, but necessarily incomplete HTML entities, stops being
       made.
 .
       Remember that absolutely NO guarantee is provided about the results of
       strip_tags() being HTML safe. So NEVER mark safe the result of a
       strip_tags() call without escaping it first, for example with
       django.utils.html.escape().
 .
     - CVE-2019-14234: SQL injection possibility in key and index lookups for
       JSONField/HStoreField
 .
       Key and index lookups for django.contrib.postgres.fields.JSONField and
       key lookups for django.contrib.postgres.fields.HStoreField were subject
       to SQL injection, using a suitably crafted dictionary, with dictionary
       expansion, as the **kwargs passed to QuerySet.filter().
 .
     - CVE-2019-14235: Potential memory exhaustion in
       django.utils.encoding.uri_to_iri()
 .
       If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
       significant memory usage due to excessive recursion when
       re-percent-encoding invalid UTF-8 octet sequences.
 .
       uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
       octet sequences.
Checksums-Sha1:
 e4c794483d1479af946eeea752961d20a12448c2 2804 python-django_1.10.7-2+deb9u6.dsc
 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
 feab4bd57a62673926a3089667c625ab395c3741 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz
 7ebe2c2077bb53cd39df0e45a09b7c0bf7a77944 1514716 python-django-common_1.10.7-2+deb9u6_all.deb
 1677744710e8471218b165cc907c93057ba0706a 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb
 b216433020dd160e046db6b00edd4256eb7e4dd5 904768 python-django_1.10.7-2+deb9u6_all.deb
 2058552727dcb0ced961d1ae5f74bef48927ce04 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo
 9142557285e2d19f39e9acd053f066c97fb7b55a 886550 python3-django_1.10.7-2+deb9u6_all.deb
Checksums-Sha256:
 31b4b068e1d93983fcf41f48c6d03356d180dcd6ae257f6d0e677207c62a90f1 2804 python-django_1.10.7-2+deb9u6.dsc
 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
 61382e22d2c377a3897365f20119d98230289c67973dc512853b2abb41ff88dc 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz
 74d0de4efcbc8ac8d0d4ec39aed86f0f843e935a39028d3e0f5b76dd609443c3 1514716 python-django-common_1.10.7-2+deb9u6_all.deb
 cb1e96c5c3f1b17b89a5df81fbc774c0c1b0abc680100d8d0778e51c035e602f 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb
 6bf000c33f8bb17ad8a257bd78952ad6e35658a5d4be806f9ff6f2daf8a1b653 904768 python-django_1.10.7-2+deb9u6_all.deb
 0f9c2eaadfb56b187b2aef853329eb6705940399e26c1075b246628bd486fc11 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo
 6122ac69a7e6a6fc896f740273bed3264a8939baca4ef6c34c62dd08c6a41439 886550 python3-django_1.10.7-2+deb9u6_all.deb
Files:
 28e7abea4ed8cf9aa53950deb52603bd 2804 python optional python-django_1.10.7-2+deb9u6.dsc
 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
 6c63fd07ef43706fd86b67f07e204b86 43076 python optional python-django_1.10.7-2+deb9u6.debian.tar.xz
 4ba563d58feed3e7818d1f4c72deb6d9 1514716 python optional python-django-common_1.10.7-2+deb9u6_all.deb
 67667859611c2db6c30ad48803fe7a42 2536628 doc optional python-django-doc_1.10.7-2+deb9u6_all.deb
 fa18d0d0099d0fa68689b16da088c089 904768 python optional python-django_1.10.7-2+deb9u6_all.deb
 ea3a0e4efb7e475b90b8b0cec832eb2d 9329 python optional python-django_1.10.7-2+deb9u6_amd64.buildinfo
 e80305618a1b280d09ac4dc0d60dd84b 886550 python optional python3-django_1.10.7-2+deb9u6_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1OzZ0ACgkQHpU+J9Qx
HljGtg//ULQz2jZgue2kaaByCiQCZzH1tDP+nThkea1ZVxsYlkMskJDvNIdtAlKB
MzoRfb1yJR81WSmg4OCKlnzitqmvtcKDuIqlzCpSzBqJicY2pu2vT4GkpUNfpwK2
PIrCQrpEp5+ArWTDW6+gRmj1vLCNYg1xpPyMSUWQ9EqQSAoOctwt1FAjfVcOEvDB
XEJ3rbwbeezpN/kPRLTSsHXFLFyptJANFaAC7Lg0JAQUmEkCIVZboojo6sizKXpp
k+XB8qRJySCrp+gW09vx0+Gzs8wNszuJuzUnbDICgCBRIPkBUlicdna5ZojqzIH7
f0Qvpue5LzcGF2+8TBydaERqg1WX09FiGUHFM0+S2GKXEsPVnARRMD4DGfxPQ0hf
cPHK/kxWX1DWCeaW5eimoZK4upft2UZF5pBqEZ07n6CN6qKOM1FW4wcLXfjAEwdB
rhTT+/hWjzSO50rxQS8OSu8JspdvtLcgJgu4qV2arzFcIJGUDZWgq8lXMLHJKCLq
b3tjREYbl/sUFmGtYTRxbfDotKjKu9lM5wxRL++ffYYGBDzWrRAPXogGE1N3wt/R
xo+GrAAvgblalDty79vYPSRIrEDKXniPYxmJIAVUu/FP80s2P5a/b2fAZorCo/HJ
wsXt833bBGKfFkg6XsdfuTULK9ntUgsIHR7RfItYRLL0VVyk4m4=
=5Zq5
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

More information about the Python-modules-team mailing list