[SECURITY] [DLA 4010-1] python-django security update (original) (raw)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

• To: debian-lts-announce@lists.debian.org
• Subject: [SECURITY] [DLA 4010-1] python-django security update
• From: "Chris Lamb" <lamby@debian.org>
• Date: Sat, 11 Jan 2025 12:59:13 +0000
• Message-id: <[🔎] 173653466153.260034.6690886841296548780@copycat>
• Mail-followup-to: debian-lts@lists.debian.org
• Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Debian LTS Advisory DLA-4010-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb January 10, 2025 https://wiki.debian.org/LTS

Package : python-django Version : 2:2.2.28-1~deb11u4 CVE ID : CVE-2024-6923

The fix for CVE-2024-6923 in the python3.9 source package which was released as part of a suite of updates in DLA 3980-1 [0] introduced safer processing of input in the email module to order to increase the security around email header injection attacks.

This change inadvertedly broke sending emails when using lazy translation strings in the python-django package, however, resulting in the package no longer building from source.

As the previous behaviour of Python's "email" module can be enabled by passing the strict=False flag, the python-django package now does so — Django detects and/or encodes newlines in its handling of outbound emails elsewhere.

For Debian 11 bullseye, this change has been made in version 2:2.2.28-1~deb11u4.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

[0] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmeBaoEACgkQHpU+J9Qx Hlhc4g/9FZUWiK/et2mdTOdmXb2JIV2FSVTjiGpvU19ves+P9dhQhdv54VqyZPfn k26liYK4q5lK5GkMjo8mjEwc+BjEy5RI+OI1DLOlMBb4f0XmMQrmBYuwIjH9Sin6 DFCLb3CK33vAK9t17ax29Tjjv6UUZfPG/fUqhCTkdJMCkWKNkNjRAPvTpgih1zrM bKG1HO41YWW6eo/m7nfjYde6B0JzcUp14iC6J4ZbjW85fYXFI7cRphbU1cHTijhh 7EHLeFMK7gx2bdXapZHZQOw7W6OlhGybdDpo4vJkmAdTFGjQDLtn+ajEUR7EUIt+ L+8DX2zbSSZJ7ApPtuYQ1VynFUP5wVEHBVX6Q9/90oUT+ze6MO7XUcV8k+pCq7jr QUnSGIn+Ai91WtxXbh5Y4k5BRO40dJH7oPzaJBJPfRh8rOsF8xeU+qtWDSDUlLWv ga0wDJCLjfk2Rk3me+ZSoqlBZLVUbl0L5WW+j8kYi5o6YfgTM7QowK+GYU0m/9gd VD0797KEg8NtcpBz9o73Hmf7oSRunF1Bm+9t1mF6F/wmMmOXeYQ7A0wdyo7m+WOq T+gGcT0RxQLEeGa8nSOc3J4mmYGcrMSlPMrKHHV5y/fqxodQzXnuDPGyE2PFIP5k QvIWnPoG7O+JV/kWa8Sk79Zg+FS8GIuMbX/LjFSTkbuLYkn+epM= =4BF9 -----END PGP SIGNATURE-----

Reply to:

• debian-lts-announce@lists.debian.org
• Chris Lamb (on-list)
• Chris Lamb (off-list)

• Prev by Date:[SECURITY] [DLA 4012-1] thunderbird security update
• Next by Date:[SECURITY] [DLA 4013-1] node-mocha security update
• Previous by thread:[SECURITY] [DLA 4012-1] thunderbird security update
• Next by thread:[SECURITY] [DLA 4013-1] node-mocha security update
• Index(es):
  • Date
  • Thread