python-django (3:5.1~rc1-1)
[PTS] [DDPO]
OLD: VCS is behind the version in the archive: 3:4.2.15-1 < 3:5.1~rc1-1.
- Git: https://salsa.debian.org/python-team/packages/python-django.git
-
- Branch: debian/sid
- Path: debian/changelog
- Repo size: 13250560
- Browser: https://salsa.debian.org/python-team/packages/python-django
- Last scan: 2024-08-13 07:59:17+00
- Next scan: 2024-08-21 16:44:00+00
- CI pipeline status: failed
- Debian changelog in Git:
python-django (3:4.2.15-1) unstable; urgency=high
* New upstream security release. (Closes: #1078074)
- CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
The floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
- CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
The urlize() and urlizetrunc() template filters are subject to a
potential denial-of-service attack via very large inputs with a specific
sequence of characters.
- CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
widget, are subject to a potential denial-of-service attack via certain
inputs with a very large number of Unicode characters.
- CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list()
QuerySet.values() and values_list() methods on models with a JSONField
are subject to SQL injection in column aliases via a crafted JSON object
key as a passed *arg.
<https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
-- Chris Lamb <lamby@debian.org> Tue, 06 Aug 2024 16:59:24 +0100
- This branch is even with tag debian/3%4.2.15-1