Debian 10261 Published by

A python-django security update has been released for Debian GNU/Linux 8 Extended LTS to address two vulnerabilities.



ELA-558-1 python-django security update

Package python-django
Version 1.7.11-1+deb8u15
Related CVEs CVE-2022-22818 CVE-2022-23833

It was discovered that there were two vulnerabilities in Django, the popular Python-based web development framework:

CVE-2022-22818: Possible XSS via the {% debug %} template tag.

The {% debug %} template tag didn’t properly encode the current context, posing an XSS attack vector.

In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True.

CVE-2022-23833: Denial-of-service possibility in file uploads

Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

For Debian 8 Jessie, these problems have been fixed in version 1.7.11-1+deb8u15.

We recommend that you upgrade your python-django packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-558-1 python-django security update