Package "python-django"

  python-django (1:1.11.11-1ubuntu1.9) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential data leakage via malformed memcached keys
    - debian/patches/CVE-2020-13254.patch: enforced cache key validation in
      memcached backends in django/core/cache/__init__.py,
      django/core/cache/backends/base.py,
      django/core/cache/backends/memcached.py, tests/cache/tests.py.
    - CVE-2020-13254
  * SECURITY UPDATE: Possible XSS via admin ForeignKeyRawIdWidget
    - debian/patches/CVE-2020-13596.patch: fixed potential XSS in admin
      ForeignKeyRawIdWidget in django/contrib/admin/widgets.py,
      tests/admin_widgets/models.py, tests/admin_widgets/tests.py.
    - CVE-2020-13596

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2020 10:30:39 -0400

  python-django (1:1.11.11-1ubuntu1.8) bionic-security; urgency=medium

  * SECURITY UPDATE: SQL injection in Oracle GIS functions and aggregates
    - debian/patches/CVE-2020-9402.patch: properly escaped tolerance
      parameter in GIS functions and aggregates on Oracle in
      django/contrib/gis/db/models/aggregates.py,
      django/contrib/gis/db/models/functions.py,
      tests/gis_tests/distapp/tests.py, tests/gis_tests/geoapp/tests.py.
    - CVE-2020-9402

 -- Marc Deslauriers <email address hidden> Fri, 28 Feb 2020 13:07:57 -0500

  python-django (1:1.11.11-1ubuntu1.7) bionic-security; urgency=medium

  * SECURITY UPDATE: Possible SQL injection in the postgres aggregates
    StringAgg function
    - debian/patches/CVE-2020-7471.patch: Update
      django/contrib/postgres/aggregates/general.py to escape delimited
      parameter to the StringAgg function. Upstream patch.
    - CVE-2020-7471

 -- Alex Murray <email address hidden> Fri, 31 Jan 2020 14:14:46 +1030

  python-django (1:1.11.11-1ubuntu1.6) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential account hijack via password reset form
    - debian/patches/CVE-2019-19844.patch: Use verified user email for
      password reset requests.
    - CVE-2019-19844

 -- Steve Beattie <email address hidden> Wed, 18 Dec 2019 08:44:43 -0800

  python-django (1:1.11.11-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Denial-of-service possibility in
    django.utils.text.Truncator
    - debian/patches/CVE-2019-14232.patch: adjusted regex to avoid
      backtracking issues when truncating HTML in django/utils/text.py,
      tests/template_tests/filter_tests/test_truncatewords_html.py,
      tests/utils_tests/test_text.py.
    - CVE-2019-14232
  * SECURITY UPDATE: Denial-of-service possibility in strip_tags()
    - debian/patches/CVE-2019-14233.patch: prevented excessive HTMLParser
      recursion in strip_tags() when handling incomplete HTML entities in
      django/utils/html.py, tests/utils_tests/test_html.py.
    - CVE-2019-14233
  * SECURITY UPDATE: SQL injection possibility in key and index lookups for
    JSONField/HStoreField
    - debian/patches/CVE-2019-14234.patch: protected JSONField/HStoreField
      key and index lookups against SQL injection in
      django/contrib/postgres/fields/hstore.py,
      django/contrib/postgres/fields/jsonb.py,
      tests/postgres_tests/test_hstore.py,
      tests/postgres_tests/test_json.py.
    - CVE-2019-14234
  * SECURITY UPDATE: Potential memory exhaustion in
    django.utils.encoding.uri_to_iri()
    - debian/patches/CVE-2019-14235.patch: fixed potential memory
      exhaustion in django.utils.encoding.uri_to_iri() in
      django/utils/encoding.py, tests/utils_tests/test_encoding.py.
    - CVE-2019-14235

 -- Marc Deslauriers <email address hidden> Fri, 26 Jul 2019 07:29:57 -0400