-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Jul 2023 14:19:58 +0100
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:2.2.28-1~deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Closes: 1030251 1031290 1035467 1040225
Changes:
 python-django (2:2.2.28-1~deb11u2) bullseye-security; urgency=high
 .
   * CVE-2023-23969: Potential denial-of-service via Accept-Language headers.
 .
     The parsed values of Accept-Language headers are cached in order to avoid
     repetitive parsing. This leads to a potential denial-of-service vector via
     excessive memory usage if large header values are sent.
 .
     In order to avoid this vulnerability, the Accept-Language header is now
     parsed up to a maximum length. (Closes: #1030251)
 .
   * CVE-2023-36053: Potential regular expression denial of service
     vulnerability in EmailValidator/URLValidator.
 .
     EmailValidator and URLValidator were subject to potential regular
     expression denial of service attack via a very large number of domain name
     labels of emails and URLs. (Closes: #1040225)
 .
   * CVE-2023-31047: Prevent a potential bypass of validation when uploading
     multiple files using one form field.
 .
     Uploading multiple files using one form field has never been supported by
     forms.FileField or forms.ImageField as only the last uploaded file was
     validated. Unfortunately, Uploading multiple files topic suggested
     otherwise. In order to avoid the vulnerability, the ClearableFileInput and
     FileInput form widgets now raise ValueError when the multiple HTML
     attribute is set on them. To prevent the exception and keep the old
     behavior, set the allow_multiple_selected attribute to True.
     (Closes: #1035467)
 .
   * CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
 .
     Passing certain inputs to multipart forms could result in too many open
     files or memory exhaustion, and provided a potential vector for a
     denial-of-service attack. The number of files parts parsed is now limited
     via the new DATA_UPLOAD_MAX_NUMBER_FILES setting. (Closes: #1031290)
 .
   * Add/apply the URLValidator patch from sid.
Checksums-Sha1:
 9faae80750a039b4cee415498f5651116b277f49 2811 python-django_2.2.28-1~deb11u2.dsc
 1aa4deee428cf10e68b3af8933ca430a0e25c622 41720 python-django_2.2.28-1~deb11u2.debian.tar.xz
 c96310767dcb6eb289299f5b195297ed417646c3 3122152 python-django-doc_2.2.28-1~deb11u2_all.deb
 d2cf01cfdbc5d4c86e65f5dab4d6b3ce5f9dcc5b 8216 python-django_2.2.28-1~deb11u2_amd64.buildinfo
 afaaef9e8e925ee6166e1a112d8b104b6e10df62 2685988 python3-django_2.2.28-1~deb11u2_all.deb
Checksums-Sha256:
 73c8be4319e6d37bcd715fb5bf32ff2899b4381e924e611ad3cd70fa3b26b85a 2811 python-django_2.2.28-1~deb11u2.dsc
 f3cd4875b523ffdb5254cbe49dc10059b2b321372847b1cea14c5e442a5d9535 41720 python-django_2.2.28-1~deb11u2.debian.tar.xz
 9767ecb0919247d102aa5dbe47288162be7d9bfcb36ef3c23593c04b779f0236 3122152 python-django-doc_2.2.28-1~deb11u2_all.deb
 6a5515d419e6e70fd9254155809b7f22dce164598e420735961f9028a7f56e98 8216 python-django_2.2.28-1~deb11u2_amd64.buildinfo
 4c9654c014765f94f7b85c28ef9c1d6d93368be7c3d39227058e7a0fef0593be 2685988 python3-django_2.2.28-1~deb11u2_all.deb
Files:
 b668564958ca9b5490f2d2b552d57f5b 2811 python optional python-django_2.2.28-1~deb11u2.dsc
 a43d5ae15927d611760653560069d210 41720 python optional python-django_2.2.28-1~deb11u2.debian.tar.xz
 431959df117303bbf9d1a28db1f98f86 3122152 doc optional python-django-doc_2.2.28-1~deb11u2_all.deb
 1d172d7df8f2c761ce2b1f9df171659a 8216 python optional python-django_2.2.28-1~deb11u2_amd64.buildinfo
 9ca00bdc99d3267306943a51b7f92b85 2685988 python optional python3-django_2.2.28-1~deb11u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmTIz7MACgkQHpU+J9Qx
Hlj+Yw//TIEjZlX4V4pPw+RABoGc9DMctUh37f8hTK8MN60dyLxMIQlUJwRCkuwW
EADe2BWxtIp3goV5ruPlbsYoiTzc8sKZotWQOt7wcEdsZZlTBLn/4CG1iMgZymVt
Q8PnRaDv52SFOXi/GFbg4piUQGMJaONstocRJ51jXJ0OijneKHq0noah7/70A2r9
a56qhJLPrqCjbyiY/lATSSEejMBJI4pRLWfgu5yOkHQ/Lp2slq3JoCFyo3d3pXjG
xGVf3ltKJutq0z2k36d1Jp9LgAa8V2pRWa8+V2SKMgPQTY6WE6vEhvnvuorEInrK
yakkxhY7eNBK2pmD20pUuLPlhtnr5xtWPnxg1qsHrz4TgUpO00X4tYyB5qcZugkT
c0IG1Bre4cDD+EF8rvk89WdJVk6eTC3e7NvHWGfoYluczOJpjKbZSTurrFhUnBZE
Ym9MmK/nJCWA+RZtucJPAgJ94HUAGCMEMmAiZRfdir6ALDvdo88ezKPuEA8iCKn/
mYpX/4jIMAbr/Ndfpo/sF3K/gd+KkKIhf73u51xfsRSHJEBsdbKXDiKLHGO4UlvV
2HtJHgbHrJmp1/EMPhx1hlnBmTqyx377C4hGj4TygcfjFYaG81AQkmtzS9B9BHtu
S3r0mKw2yMCBGuuIaEUnRMUE3dtOGPML02Kx0Jiw6Y0vkUZ1zWc=
=T1P3
-----END PGP SIGNATURE-----