Debian Bug report logs -
#1009677
python-django: CVE-2022-28346
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Thu, 14 Apr 2022 08:48:02 UTC
Severity: grave
Tags: security
Found in version 1:1.10.7-2+deb9u15
Fixed in versions 2:4.0.4-1, 2:3.2.13-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#1009677
; Package python-django
.
(Thu, 14 Apr 2022 08:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
.
(Thu, 14 Apr 2022 08:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u15
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2022-28346[0]:
| An issue was discovered in Django 2.2 before 2.2.28, 3.2 before
| 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and
| extra() methods are subject to SQL injection in column aliases via a
| crafted dictionary (with dictionary expansion) as the passed **kwargs.
There was another CVE as part of this release:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
However, the CVE in question (CVE-2022-28347), does not apply in
buster, stretch or jessie; the .explain(...) functionality was added
later versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as fixed in versions 2:3.2.13-1.
Request was from "Chris Lamb" <lamby@debian.org>
to control@bugs.debian.org
.
(Thu, 14 Apr 2022 09:03:06 GMT) (full text, mbox, link).
Marked as fixed in versions 2:4.0.4-1.
Request was from "Chris Lamb" <lamby@debian.org>
to control@bugs.debian.org
.
(Thu, 14 Apr 2022 09:03:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Apr 14 13:10:35 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.