Changelog
python-django (2:4.0.2-1) experimental; urgency=medium
* New upstream security release:
- CVE-2022-22818: Possible XSS via {% debug %} template tag.
The {% debug %} template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
- CVE-2022-23833: Denial-of-service possibility in file uploads
Passing certain inputs to multipart forms could result in an
infinite loop when parsing files.
See <https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
for more information. (Closes: #1004752)
-- Chris Lamb <email address hidden> Tue, 01 Feb 2022 09:02:51 -0800