[ubuntu/kinetic-proposed] python-django 2:3.2.13-1 (Accepted)
Lena Voytek
lena.voytek at canonical.com
Fri May 27 16:55:39 UTC 2022
python-django (2:3.2.13-1) unstable; urgency=high
* New upstream security release:
- CVE-2022-28346: Potential SQL injection in QuerySet.annotate(),
aggregate(), and extra().
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
- CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options)
on PostgreSQL.
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
See <https://www.djangoproject.com/weblog/2022/apr/11/security-releases/>
for more info.
Date: 2022-04-12 22:36:22.581004+00:00
Signed-By: Bryce Harrington <bryce at bryceharrington.org>
https://launchpad.net/ubuntu/+source/python-django/2:3.2.13-1
-------------- next part --------------
Sorry, changesfile not available.
More information about the kinetic-changes
mailing list