[SECURITY] [DLA 2982-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2982-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 14 Apr 2022 11:45:49 -0400 (EDT)
Message-id: <[🔎] 164995110285.122346.15425697755815667738@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2982-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
April 14, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 1:1.10.7-2+deb9u16
CVE ID         : CVE-2022-28346
Debian Bug     : #1009677

It was discovered that there was potential SQL injection attack
vulnerability in Django, a popular Python-based web development
framework.

QuerySet.annotate(), aggregate(), and extra() methods were subject to
SQL injection in column aliases, using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods.

For more information, please see:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u16.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmJYQXwACgkQHpU+J9Qx
HlhvxxAApORZR07Bo6XcViIWJRdiewPjDzK013qFP6Wm/hI9bbIpID3z83xbchb0
G/SNpbyLJWaBhSqGjWecbMIskuUNfas4mh3eZ/F6uJoFxGvW0asA8kgqcLI4z7d0
uWzhi/WyIKNGTbS+J82oiS1weEj3TfNWtLaiDtA37/fJxFGRGRKjLerpCuOve1t+
XcdpuwzEyw1aiqQlD6PlEy87Dntr6+zUtEhQP6/o/sLF5vrIKDivSsfgssPB+QR0
6zKvYhDzpcKxX46Mj0llXVLREOkj/CxKnQPFOnCiuiL0q+JZLXJb2LYVSlV0h6j2
/DD5LK6EgNT++OTP3SdoRVIukEjpHPWiHdYkYBVUvcC05fA2+klU2vm12boooZ0a
YoFewRbdDmXR4nIiq0jRU7wqkrryfyEGz2lE4Ej/BADye0ZIPcYZC1Jbgi+Cl21Q
ahM1jK7AZCFVwVnvcwirv/ZPRwCqPbWDVQEJIolhvFtwpZ4YLEdZ+qALH0K0eIu2
ldPcWIZXXFiL2sn9JjBMnhq1komJ6UtwyRYOcxNRB4EImjzr9QAPS5q4ohmvZ7E0
MsAr7AqJOXhKp5oqbp30Fvx5Om7HYyo/8KrXAMZQAUuPMNKM+LzNV3O4YSkZ9f9w
zNRpiLYf58bQ9TDSZT8JwfWdysG0CZtba9uWLS0/9PMjNFakm6I=
=RZ82
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2981-1] lrzip security update
Next by Date: [SECURITY] [DLA 2974-1] fribidi security update
Previous by thread: [SECURITY] [DLA 2981-1] lrzip security update
Next by thread: [SECURITY] [DLA 2974-1] fribidi security update
Index(es):
- Date
- Thread