Colin Watson uploaded new packages for python-django which fixed the
following security problems:

CVE-2025-32873

    Denial-of-service possibility in strip_tags().
    django.utils.html.strip_tags() would be slow to evaluate certain
    inputs containing large sequences of incomplete HTML tags. This
    function is used to implement the striptags template filter,
    which was therefore also vulnerable. strip_tags() now raises a
    SuspiciousOperation exception if it encounters an unusually
    large number of unclosed opening tags.

For the bookworm-backports distribution the problem has been fixed
in version 3:4.2.21-1~bpo12+1.

Colin Watson uploaded new packages for python-django which fixed the
following security problems:

    CVE-2025-26699

        Potential denial-of-service vulnerability in
        django.utils.text.wrap(). The wrap() method and wordwrap
        template filter were subject to a potential denial-of-service
        attack when used with very long strings.

For the bookworm-backports distribution the problem has been fixed
in version 3:4.2.20-1~bpo12+1.

Colin Watson uploaded new packages for python-django which fixed the
following security problems:

CVE-2024-45230

    Potential denial-of-service vulnerability in
    django.utils.html.urlize(). urlize and urlizetrunc were subject to a
    potential denial-of-service attack via very large inputs with a
    specific sequence of characters.

CVE-2024-45231

    Potential user email enumeration via response status on password
    reset. Due to unhandled email sending failures, the
    django.contrib.auth.forms.PasswordResetForm class allowed remote
    attackers to enumerate user emails by issuing password reset
    requests and observing the outcomes. To mitigate this risk,
    exceptions occurring during password reset email sending are now
    handled and logged using the django.contrib.auth logger.

CVE-2024-53907

    Potential DoS in django.utils.html.strip_tags. The strip_tags()
    method and striptags template filter were subject to a potential
    denial-of-service attack via certain inputs containing large
    sequences of nested incomplete HTML entities.

CVE-2024-53908

    Potential SQL injection in HasKey(lhs, rhs) on Oracle. Direct
    usage of the django.db.models.fields.json.HasKey lookup on
    Oracle was subject to SQL injection if untrusted data is used as
    a lhs value. Applications that use the jsonfield.has_key lookup
    through the __ syntax are unaffected.

CVE-2024-56374

    Potential denial-of-service vulnerability in IPv6 validation. A
    lack of upper bound limit enforcement in strings passed when
    performing IPv6 validation could have led to a potential
    denial-of-service (DoS) attack. The undocumented and private
    functions clean_ipv6_address and is_valid_ipv6_address were
    vulnerable, as was the GenericIPAddressField form field, which
    has now been updated to define a max_length of 39 characters.
    The GenericIPAddressField model field was not affected.

For the bookworm-backports distribution the problems have been fixed
in version 3:4.2.18-1~bpo12+1.

Philippe Coval uploaded new packages for mosquitto which fixed the
following security problems:

CVE-2024-8376

    In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

For the bookworm-backports distribution the problems have been fixed in
version 2.0.20-1~bpo12+1.

as you may know, oldstable is only supported for 1 year. For bookworm this was 2024-06-10. We added a small grace period afterwards, but we will not allow updates after this point. We will also remove the suite from the debian mirrors soon.

Thanks for your attention

Originally posted on debian-backports-announce

Debian Backports does not support LTS [1], therefore buster-backports is unsupported since August 1st 2022.

Despite of the documentation buster-backport was still available on the mirrors, that changed recently with the archival of buster-backports. Unfortunately we missed to create an announcement in 2022 which led so some surprise. Please take this as the missing announcement.

Pierre Gruet uploaded new packages for xerial-sqlite-jdbc which fixed
the following security problem:

CVE-2023-32697

    It was discovered that xerial-sqlite-jdbc had a remote code
    execution vulnerability via JDBC URL, which was caused by
    a predictable UUID choice.

For the bullseye-backports distribution the problem has been fixed in
version 3.36.0.3+dfsg1-3~bpo11+2.

Philippe Coval uploaded new packages for mosquitto which fixed the
following security problems:

CVE-2021-34434

    In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.

For the bookworm-backports distribution the problems have been fixed in
version 2.0.15-2~bpo12+1.

bullseye-backports and buster-backports-sloppy started

From now on you can upload packages to those two distributions. Please ensure to follow the rules of those distributions (yes, that means you can't upload packages to bullseye-backports now that are not in testing ;))

stretch-backports discontinued

Following the rules oldstable backports was discontinued some time ago, but we never announced that offically. Please do not upload anything to oldstable backports.

security uploads

Announcing security updates didn't worked well in the past. We therefore decided to change the mechanism security announcements work. Every Debian contributor (DM/DD) can now send a signed mail to the debian-backports-announce mailinglist. Please follow the template when doing so. The contribution document also shows how to reserve a BSA by doing a merge request to the website.

new backports maintainers

I am happy to announce that Thorsten Glaser (tg) and Micha Lenk (micha) will join us a backports ftpmasters. They are not yet onboarded, but that will happen soon. Please give them a warm welcome.

updates for the website

If you have something to contribute for our webseite, feel free to create an issue or (even better) create a merge request against https://salsa.debian.org/backports-team/backports-website

Thanks

Alex - backports ftpmaster

[1] https://backports.debian.org/Contribute/ [2] https://backports.debian.org/Instructions/ [3] https://backports.debian.org/Contribute/#index4h2

Now that buster was released we are pleased to announce the availability of buster-backports and stretch-backports-sloppy.

What to upload where

As a reminder, uploads to a release-backports pocket are to be taken from release + 1, uploads to a release-backports-sloppy pocket are to be taken from release + 2. Which means:

Backports and LTS

Please keep in mind that backports doesn't follow LTS. Which means that we will drop support for oldstable (stretch) around one year after the release of buster. Thats in sync with the - official - security support for oldstable

BSA Security Advisories

We plan to switch the security-announce mailinglist to keyring based authentication, which means that every DD and DM is able to publish its own BSA advisories. We will send out a seperate announcement after the switch happened - and of course update the documentation

Statistics

For packages backported from buster, so far we have 1624 different source packages in stretch-backports. Those 1624 source packages took 2821 uploads from 252 uploaders to become reality.

Thanks

Thanks have to go out to all people making backports possible, and that includes up front the backporters themself who do upload the packages, track and update them on a regular basis, but also the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.

Happy Backporting!

Alex and Rhonda - backports.debian.org ftpmasters