Changelog
python-django (2:3.2.5-1) experimental; urgency=medium
* New upstream security release:
- CVE-2021-35042: Potential SQL injection via unsanitized
QuerySet.order_by() input.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation, the strict column reference validation was
restored for the duration of the deprecation period. This regression
appeared in Django version 3.1 as a side effect of fixing another bug
(#31426).
For more information, please see:
<https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
-- Chris Lamb <email address hidden> Thu, 01 Jul 2021 10:56:07 +0100