Univention Bugzilla – Bug 54413
python-django: Multiple issues (4.4)
Last modified: 2022-02-02 16:40:35 CET
New Debian python-django 1:1.10.7-2+deb9u15 fixes: This update addresses the following issues: * Possible XSS via '{% debug %}' template tag (CVE-2022-22818) * Denial-of-service possibility in file uploads (CVE-2022-23833)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/python-django_1.10.7-2+deb9u14.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/python-django_1.10.7-2+deb9u15.dsc @@ -1,3 +1,24 @@ +1:1.10.7-2+deb9u15 [Tue, 01 Feb 2022 10:12:18 -0800] Chris Lamb <lamby@debian.org>: + + * Upload from the LTS security team: + + - CVE-2022-22818: Possible XSS via {% debug %} template tag. + + The {% debug %} template tag didn't properly encode the current context, + posing an XSS attack vector. + + In order to avoid this vulnerability, {% debug %} no longer outputs + information when the DEBUG setting is False, and it ensures all context + variables are correctly escaped when the DEBUG setting is True. + + - CVE-2022-23833: Denial-of-service possibility in file uploads + + Passing certain inputs to multipart forms could result in an + infinite loop when parsing files. + + See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/> + for more information. (Closes: #1004752) + 1:1.10.7-2+deb9u14 [Sat, 05 Jun 2021 10:40:51 +0100] Chris Lamb <lamby@debian.org>: * Upload from the LTS security team. (Closes: #989394) <http://piuparts.knut.univention.de/4.4-8/#203156406372123939>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 738ebcd787 Bug #54413: python-django 1:1.10.7-2+deb9u15 doc/errata/staging/python-django.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1171>