python-django (3:4.2.14-1) unstable; urgency=medium
 .
   * New upstream security release. (Closes: #1076069)
 .
     - CVE-2024-38875: Prevent a potential denial-of-service in
       django.utils.html.urlize. This method (and urlizetrunc) were subject to a
       potential DoS attack via specially-crafted inputs with a very large
       number of brackets.
 .
     - CVE-2024-39329: Avoid a username enumeration vulnerability through timing
       difference for users with unusable password. The authenticate method of
       django.contrib.auth.backends.ModelBackend method allowed remote attackers
       to enumerate users via a timing attack involving login requests for users
       with unusable passwords.
 .
     - CVE-2024-39330: Address a potential directory-traversal in
       django.core.files.storage.Storage.save. Derived classes of this method's
       base class which override generate_filename without replicating the file
       path validations existing in the parent class allowed for potential
       directory-traversal via certain inputs when calling save(). Built-in
       Storage sub-classes were not affected by this vulnerability.
 .
     - CVE-2024-39614: Fix a potential denial-of-service in
       django.utils.translation.get_supported_language_variant. This method
       was subject to a potential DoS attack when used with very long strings
       containing specific characters. To mitigate this vulnerability, the
       language code provided to get_supported_language_variant is now parsed up
       to a maximum length of 500 characters.
 .
     <https://www.djangoproject.com/weblog/2024/jul/09/security-releases/>



REMOVED: plastimatch 1.9.4+dfsg.1-2
REMOVED: sight 23.1.0-3