Debian Security Advisory
DLA-3024-1 python-django -- LTS security update
- Date Reported:
- 26 May 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-9402.
- More information:
It was discovered that there was a potential SQL injection vulnerability in the Django web development framework.
Untrusted data was used as a tolerance parameter in GIS functions and aggregates when using the Oracle database backend. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was potentially possible to break escaping and inject malicious SQL.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
For Debian 9
Stretch, these problems have been fixed in version 1:1.10.7-2+deb9u17.
We recommend that you upgrade your python-django packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS