Debian Quality Assurance

python-django (3:5.1~rc1-1) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 3:4.2.14-1 < 3:5.1~rc1-1.

• Git: https://salsa.debian.org/python-team/packages/python-django.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: debian/sid
• Path: debian/changelog
• Repo size: 11567104
• Browser: https://salsa.debian.org/python-team/packages/python-django
• Last scan: 2024-07-25 15:52:19+00
• Next scan: 2024-08-01 22:32:00+00
• CI pipeline status: failed
• Debian changelog in Git:

  python-django (3:4.2.14-1) unstable; urgency=medium
  
    * New upstream security release. (Closes: #1076069)
  
      - CVE-2024-38875: Prevent a potential denial-of-service in
        django.utils.html.urlize. This method (and urlizetrunc) were subject to a
        potential DoS attack via specially-crafted inputs with a very large
        number of brackets.
  
      - CVE-2024-39329: Avoid a username enumeration vulnerability through timing
        difference for users with unusable password. The authenticate method of
        django.contrib.auth.backends.ModelBackend method allowed remote attackers
        to enumerate users via a timing attack involving login requests for users
        with unusable passwords.
  
      - CVE-2024-39330: Address a potential directory-traversal in
        django.core.files.storage.Storage.save. Derived classes of this method's
        base class which override generate_filename without replicating the file
        path validations existing in the parent class allowed for potential
        directory-traversal via certain inputs when calling save(). Built-in
        Storage sub-classes were not affected by this vulnerability.
  
      - CVE-2024-39614: Fix a potential denial-of-service in
        django.utils.translation.get_supported_language_variant. This method
        was subject to a potential DoS attack when used with very long strings
        containing specific characters. To mitigate this vulnerability, the
        language code provided to get_supported_language_variant is now parsed up
        to a maximum length of 500 characters.
  
      <https://www.djangoproject.com/weblog/2024/jul/09/security-releases/>
  
   -- Chris Lamb <lamby@debian.org>  Wed, 10 Jul 2024 09:50:49 +0100

• This branch is even with tag debian/3%4.2.14-1

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---