Debian alert DLA-3024-1 (python-django)
| From: | Chris Lamb <lamby@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3024-1] python-django security update | |
| Date: | Thu, 26 May 2022 06:59:15 -0400 | |
| Message-ID: | <165356262900.735284.3855633193517999012@copycat> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3024-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb May 26, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : python-django Version : 1:1.10.7-2+deb9u17 CVE ID : CVE-2020-9402 Debian Bug : #953102 It was discovered that there was a potential SQL injection vulnerability in the Django web development framework. Untrusted data was used as a tolerance parameter in GIS functions and aggregates when using the Oracle database backend. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was potentially possible to break escaping and inject malicious SQL. For Debian 9 "Stretch", this problem has been fixed in version 1:1.10.7-2+deb9u17. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmKPW1YACgkQHpU+J9Qx HlhRPQ/9HB0oxr5SeVNywD+2Io54wGfjEH6CFi8PokUYlyjlJVzNFmGADioBwABa h+2k17q/JdadOksXjITIlkjCZPdyCZWiXi8ZHOQnX4uXN26zleESGqG64w57IfmK ZzI89j6ooTfMCFOOgJLs+QkgBNktKSl7Tf/n3x9PImA2Wx71fynJTdBjQEJFNkV3 N2vLXDH9C2W1+8cbB1BIjnWeBdqyQ62xlhMnk9mu4sTQqfcQuEDZF/KlY0n+Ayft d5bhNno0RtiduV6j4osOMM5ivq7b2FbjeaidGqm6wF8kJubnnOrGEIyO6tR+CkiZ Jtwko2zg2eLDcWjsVymw+cXfbHOencnMgZbRo+RTHiaeEZT8fYApdUrWYZD0OxVW bURbEHBwpIOnkMAFDrL6fx2M/1ZjO+K4GcLiJYgp3XUCB3e5+pwC2xE7LTey+wtt um3xkN1Fpq998Rs7+E5ANg5SXTqB8QIjxChY6PHFAl/39aNg0w2+VzteWUp3QFLz fCWlS9MJQJwar5Msr1YUbTiI9te/zHrv9AiZX3yvf4/pSN8hAkkAwzqmuSZ2a1cE tVYz4dQ/deivzLjVhUqF+cTyBKJZCmvxM60+BYolE3AeNPoCBap+7Xy0aks59+9h s0CIYGXmlbzBLx+NEAXvj2EqXhlwvIoIEe52DMuocu599Tu8dYU= =daa7 -----END PGP SIGNATURE-----