Debian 10261 Published by

A python-django security update has been released for Debian GNU/Linux 10 to address multiple vulnerabilities.



: python-django security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3177-1 debian-lts@lists.debian.org   https://www.debian.org/lts/security/
Chris Lamb November 04, 2022
  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 1:1.11.29-1+deb10u3
CVE IDs : CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 Debian Bugs : 1003113 1009677

It was discovered that there were multiple vulnerabilies in Django, a popular Python-based development framework:

* CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

* CVE-2021-45115: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

* CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.

For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u3.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
  https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at:   https://wiki.debian.org/LTS