Debian Bug report logs -
#1004752
python-django: CVE-2022-22818 CVE-2022-23833
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 1 Feb 2022 17:09:02 UTC
Severity: grave
Tags: security
Found in versions 2:2.2.25-1~deb11u1, 2:3.2.11-2, python-django/1:1.11.29-1~deb10u1, 2:3.2.10-2, 1:1.10.7-2+deb9u14
Fixed in versions python-django/2:3.2.12-1, python-django/2:4.0.2-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1004752; Package python-django.
(Tue, 01 Feb 2022 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Tue, 01 Feb 2022 17:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u14
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
* CVE-2022-22818: Possible XSS via {% debug %} template tag
The {% debug %} template tag didn't properly encode the current
context, posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all
context variables are correctly escaped when the DEBUG setting is
True.
* CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
This issue has severity "medium" according to the Django security policy.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
[1] https://security-tracker.debian.org/tracker/CVE-2022-23833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 01 Feb 2022 17:39:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Feb 2022 17:39:03 GMT) (full text, mbox, link).
Message #10 received at 1004752-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:4.0.2-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1004752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Feb 2022 09:02:51 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:4.0.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1004752
Changes:
python-django (2:4.0.2-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
.
- CVE-2022-23833: Denial-of-service possibility in file uploads
.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
for more information. (Closes: #1004752)
Checksums-Sha1:
cb621803e4a3e97e3db99d851200c23beaf88dea 2779 python-django_4.0.2-1.dsc
b671dd5cb40814abb89953ce63db872036a7fb77 9996300 python-django_4.0.2.orig.tar.gz
499cb39ae4033db321146b3f5c509402b6c22e8b 28412 python-django_4.0.2-1.debian.tar.xz
5914b45c9d9266cef6a9b6b3e9b62dced517df84 7915 python-django_4.0.2-1_amd64.buildinfo
Checksums-Sha256:
2cb44bdc787fa5e1f62d083e1a113766162776e347e383fbe3e68807a23c2466 2779 python-django_4.0.2-1.dsc
110fb58fb12eca59e072ad59fc42d771cd642dd7a2f2416582aa9da7a8ef954a 9996300 python-django_4.0.2.orig.tar.gz
66f94f095098474d44f0c1dd6b9afd56b0bbfd91921a89013991dc7e21a154b9 28412 python-django_4.0.2-1.debian.tar.xz
dc2262bbf83657847dcd207de5b7c07899700b01ce2ea4d758c509a73984924f 7915 python-django_4.0.2-1_amd64.buildinfo
Files:
e16dcb04ec2b0b5b9e4063348922a71b 2779 python optional python-django_4.0.2-1.dsc
a86339c0e87241597afa8744704d9965 9996300 python optional python-django_4.0.2.orig.tar.gz
1fef93dd00604da057ccb2dfde4fb03b 28412 python optional python-django_4.0.2-1.debian.tar.xz
4962f09548b1dc07a0cf1c78869d7c4b 7915 python optional python-django_4.0.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmH5bPYACgkQHpU+J9Qx
Hljlrg/+LTMdi+/Jy00di92VV26fKAQUn4fqApJA9o9KSk9O4fBWR3dUkuWIT16T
1J9UrQDPvYvJIlf13baQSKnLgxPZtSH+wjDBCVOtxC/XNdxiQ7GnpDmmnAOpQgX1
3dVGpe3NmTx06HnwdlVTqzLIwLw1jBXG1aSk+bUal7NEfIc5wmUQcOLdT+4fOLo5
G3p0TmnnreWpWXvB6m2fPwT7wDvZdZ+MaRY8eK4WOOnZD04xAktBRIYWTGZlo78r
HbvBkTQaWSv908nDwS/d2MEQo52u1xJCOM68zv1oGL8cgs8rJiplgLCiL2dLDXzF
CnQkn9HJXsqrSJSgO8Vt4RObN3aOzmcp79SF5Kqye6OSaYt42v9nzR82zSGv67JX
Ue2bXcItXSl2zWrApDOefR+sCTkZfXB/3iBCDoRQezFqZJUXyALjIxz/r0o0ZTLv
md9j67v9bJdp3WGrbOLe2cf09FuW6bsVm2Zq8C6fetliddTv7wao4SrniQAexm0B
WmseI2DXWQusSXr+/AWOdkZT5itf35X0apuvvqcBQbbaDqW+EJFhiSkmZyS43/6N
aZBabu5JisNHZ/6wsIn6tiBcLOFHvUFHynNYf/SZ9C0X7CZkooUOkDiOcbWvpJw0
aM/3aAq+gvkkWMD3c9SXhZ/sCn3XMKPhsiOvEC8QhyHvT6iTnDw=
=usbx
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 01 Feb 2022 17:51:05 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 01 Feb 2022 17:51:05 GMT) (full text, mbox, link).
Message #15 received at 1004752-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2.12-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1004752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Feb 2022 09:28:58 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.12-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1004752
Changes:
python-django (2:3.2.12-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
.
- CVE-2022-23833: Denial-of-service possibility in file uploads.
.
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/>
for more information. (Closes: #1004752)
Checksums-Sha1:
cdc813e579d51018d8416c449d14219479d931c2 2807 python-django_3.2.12-1.dsc
93f6c3f0fd89f5c5a44dee688e752a258900a54e 9812448 python-django_3.2.12.orig.tar.gz
8f3bfe43385673b8ae937169c395c5dfba8de2fb 35060 python-django_3.2.12-1.debian.tar.xz
d215015572a9dd6e89c8a97b30fb63f9692033db 8089 python-django_3.2.12-1_amd64.buildinfo
Checksums-Sha256:
c33aa89544c0b0a5971df3cb18f1fd1deb9ed41035cade5364cda7f3f7f956cc 2807 python-django_3.2.12-1.dsc
9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2 9812448 python-django_3.2.12.orig.tar.gz
7f1bf88141e5e9e06cbf1bc60606ed53b6cb629c384a3dde5a0068aa46eb3591 35060 python-django_3.2.12-1.debian.tar.xz
b99d78aab5699dbd4b57bdc704c4d980118b2df22b303d35d033741e67698a62 8089 python-django_3.2.12-1_amd64.buildinfo
Files:
350062ea51fb57ddd8a0b72744d808ef 2807 python optional python-django_3.2.12-1.dsc
1847b2f286930a9d84e820a757e3a7ec 9812448 python optional python-django_3.2.12.orig.tar.gz
eedef8404056d75832230ebd4d3e2f30 35060 python optional python-django_3.2.12-1.debian.tar.xz
77bdb2ee3e8039c7c7b724a99231a894 8089 python optional python-django_3.2.12-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmH5b2kACgkQHpU+J9Qx
HljlFA/+Mlty1sgR7gMekexDmjhXvQEUCfai7Soe42wE1IRTtl2FUh4MKofvQBnp
rY9Fsb9cI2mQgPPHA0/X8uBM5J5L+Izf+Jvs6rBcTuWtMgGll9meu9K+fRWDiPWS
1U9RDqphuEaiE008fe7GRpu5p5JdrCFGpVbIE4QteYZcxSCbhQ7Gtku30OpBAPgu
oLTY+hB8JbCCXTpgasdtkuMyoFv2BhYC07NfVew8j0coA8+JFEJbk4yohXReKZYX
CFc8zBMfVUFAcesrjEv6wTteyZ32ZYsQcsUOlTQlAdRrIcGp4+tHP81Xvoe11a1i
h8KZIAbLMYjD5X119U49T5/idZxcngfai1wPqDFbyk5KFJ0EU1QqTq7Cqr2XJsto
Gg5RcMKHy6mM6Q+h7pexUj5Vz5HAz031KUurTKmj56suySMFYbW8UZyvB2gMbjiS
GBJxornAyccac/urRj7+SXzouPeWp/ekuEsZkk69p2QDzSjmgpKVBaOnCpHmoLxG
IzAlZX3i+SX14AWM1SVezdSfFXU51lV4LjlH9/+I8k4q+3Ud9FSeQ9gqRPyO0hVx
bCSfnouCgXp6DXoms+nmtKuN4smvJF4xMUwr5T6SiayDGHiP8eQ+uGhejFmb9lvN
hWkxT7JlpZNIbZ8RQOBGGNuDEn5iXcEiarrY5nnFmN0cORqLouo=
=2XVi
-----END PGP SIGNATURE-----
Marked as found in versions 2:3.2.11-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Feb 2022 21:09:02 GMT) (full text, mbox, link).
Marked as found in versions 2:3.2.10-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Feb 2022 21:09:03 GMT) (full text, mbox, link).
Marked as found in versions 2:2.2.25-1~deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Feb 2022 21:09:03 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.11.29-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Feb 2022 21:09:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Feb 2 12:09:00 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon