Package "python-django"

  python-django (1:1.11.11-1ubuntu1.21) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential bypass of validation when uploading multiple
    files using one form field
    - debian/patches/CVE-2023-31047.patch: prevent uploading multiple files
      in django/forms/widgets.py, docs/topics/http/file-uploads.txt,
      tests/forms_tests/field_tests/test_filefield.py,
      tests/forms_tests/widget_tests/test_clearablefileinput.py,
      tests/forms_tests/widget_tests/test_fileinput.py.
    - CVE-2023-31047

 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2023 10:05:28 -0400

  python-django (1:1.11.11-1ubuntu1.20) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential denial-of-service in file uploads
    - debian/patches/CVE-2023-24580.patch: add limits to
      django/conf/global_settings.py, django/core/exceptions.py,
      django/core/handlers/exception.py, django/http/multipartparser.py,
      django/http/request.py, docs/ref/exceptions.txt,
      docs/ref/settings.txt, tests/handlers/test_exception.py,
      tests/requests/test_data_upload_settings.py.
    - CVE-2023-24580

 -- Marc Deslauriers <email address hidden> Wed, 08 Feb 2023 10:30:23 -0500

  python-django (1:1.11.11-1ubuntu1.19) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential DoS via Accept-Language headers
    - debian/patches/CVE-2023-23969.patch: limit length of Accept-Language
      headers in django/utils/translation/trans_real.py,
      tests/i18n/tests.py.
    - CVE-2023-23969

 -- Marc Deslauriers <email address hidden> Mon, 30 Jan 2023 08:45:22 -0500

  python-django (1:1.11.11-1ubuntu1.18) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential SQL invjection
    - debian/patches/CVE-2022-34265.patch: protected
      trunc/extract against SQL injection in
      django/db/backends/base/operations.py,
      django/db/models/functions/datetime.py.
    - CVE-2022-34265

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 15:19:32 -0300

  python-django (1:1.11.11-1ubuntu1.17) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential SQL injection in QuerySet.annotate(),
    aggregate(), and extra()
    - debian/patches/CVE-2022-28346.patch: prevent SQL injection in column
      aliases in django/db/models/sql/query.py, tests/aggregation/tests.py,
      tests/annotations/tests.py, tests/queries/tests.py,
      tests/expressions/test_queryset_values.py.
    - CVE-2022-28346
  * SECURITY UPDATE: header injection in URLValidator with Python security
    update
    - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
      being accepted in URLValidator in django/core/validators.py,
      tests/validators/tests.py.
    - CVE-2021-32052

 -- Marc Deslauriers <email address hidden> Tue, 05 Apr 2022 12:40:49 -0400