diff options
| author | Chris Lamb <lamby@debian.org> | 2022-11-17 09:49:30 +0000 |
|---|---|---|
| committer | Chris Lamb <lamby@debian.org> | 2022-11-17 09:49:30 +0000 |
| commit | c3c17135ff416e0b0ac61a121e8c200c91efaf58 (patch) | |
| tree | c93b39b0aaa9c1a8e324a8f9d0abfad64c41335c /data | |
| parent | 49c76ae64511da06258e61480a7e81206a734770 (diff) | |
Reserve DLA-3191-1 for python-django
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list | 3 | ||||
| -rw-r--r-- | data/DLA/list | 3 | ||||
| -rw-r--r-- | data/dla-needed.txt | 12 |
3 files changed, 3 insertions, 15 deletions
diff --git a/data/CVE/list b/data/CVE/list index 594970fde2..4fcecf1b28 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -63567,7 +63567,6 @@ CVE-2022-23834 CVE-2022-23833 (An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27 ...) {DSA-5254-1 DLA-2906-1} - python-django 2:3.2.12-1 (bug #1004752) - [buster] - python-django <no-dsa> (Minor issue) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) @@ -67192,7 +67191,6 @@ CVE-2022-22819 (NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64, CVE-2022-22818 (The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3 ...) {DSA-5254-1 DLA-2906-1} - python-django 2:3.2.12-1 (bug #1004752) - [buster] - python-django <no-dsa> (Minor issue) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) @@ -71367,7 +71365,6 @@ CVE-2021-45453 CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...) - python-django 2:3.2.11-1 (bug #1003113) [bullseye] - python-django 2:2.2.26-1~deb11u1 - [buster] - python-django <postponed> (Minor issue; fix in next update) [stretch] - python-django <postponed> (Minor issue; fix in next update) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11) diff --git a/data/DLA/list b/data/DLA/list index 68f4593d86..383ef0294e 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[17 Nov 2022] DLA-3191-1 python-django - security update + {CVE-2021-45452 CVE-2022-22818 CVE-2022-23833} + [buster] - python-django 1:1.11.29-1+deb10u4 [16 Nov 2022] DLA-3190-1 grub2 - security update {CVE-2022-2601 CVE-2022-3775} [buster] - grub2 2.06-3~deb10u2 diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 217bc8815f..e9ceab4595 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -296,18 +296,6 @@ protobuf puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. -- -python-django (Chris Lamb) - NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. - NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby) - NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby) - NOTE: 20221027: To clarify, only the first CVE mentioned in the previous comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other seven have already been fixed in stretch. I plan to fix these remaining 1 CVE and release (with 5 total CVEs) instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby) - NOTE: 20221031: Programming language: Python. - NOTE: 20221031: VCS: https://salsa.debian.org/python-team/modules/python-django.git - NOTE: 20221031: Special attention: Chris Lamb is the maintainer. - NOTE: 20221103: Re-added pre-20221031 comments from Git and reclaimed; will upload at least CVE-2022-28346 soon. (lamby) - NOTE: 20221104: Uploaded with three more CVEs: CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 (lamby) - NOTE: 20221115: Will upload shortly with CVE-2021-44420, CVE-2021-45452, CVE-2022-22818 & CVE-2022-23833 (lamby) --- qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, |