Debian
python-django package

python-django 2:4.0.4-1 source package in Debian

Changelog

python-django (2:4.0.4-1) experimental; urgency=high

  * New upstream security release:

    - CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
      aggregate(), and extra().

      QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
      injection in column aliases, using a suitably crafted dictionary, with
      dictionary expansion, as the **kwargs passed to these methods.

    - CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
      on PostgreSQL.

      QuerySet.explain() method was subject to SQL injection in option names,
      using a suitably crafted dictionary, with dictionary expansion, as the
      **options argument.

    See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
    for more info.

 -- Chris Lamb <email address hidden>  Tue, 12 Apr 2022 18:13:56 +0200

Upload details

Uploaded by:
Debian Python Team
Uploaded to:
Experimental
Original maintainer:
Debian Python Team
Architectures:
all
Section:
python
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
python-django_4.0.4-1.dsc 2.7 KiB 5aa6ec44f076e9ef3be1722c3eb867cd234583cde8c536e389c2feefc372b9db
python-django_4.0.4.orig.tar.gz 9.9 MiB 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5
python-django_4.0.4-1.debian.tar.xz 28.0 KiB 4688c09e834bd8c682fb0a961e3c45c0a27496ea6858d85f83eec0de34b7d35d

No changes file available.

Binary packages built by this source