- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4010-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
January 10, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 2:2.2.28-1~deb11u4
CVE ID         : CVE-2024-6923

The fix for CVE-2024-6923 in the python3.9 source package which was
released as part of a suite of updates in DLA 3980-1 [0] introduced
safer processing of input in the email module to order to increase
the security around email header injection attacks.

This change inadvertedly broke sending emails when using lazy
translation strings in the python-django package, however, resulting
in the package no longer building from source.

As the previous behaviour of Python's "email" module can be enabled
by passing the strict=False flag, the python-django package now does
so — Django detects and/or encodes newlines in its handling of
outbound emails elsewhere.

For Debian 11 bullseye, this change has been made in version
2:2.2.28-1~deb11u4.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

  [0] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html