| Summary: | python-django new security issue CVE-2021-23336 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-django-3.1.3-1.mga8.src.rpm | CVE: | CVE-2021-23336 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 24899 | ||
|
Description
David Walser
2021-02-20 19:13:11 CET
David Walser
2021-02-20 19:13:35 CET
Blocks:
(none) =>
24899 Assigning to the Python stack group. Assignee:
bugsquad =>
python Ubuntu has issued an advisory for this on February 22: https://ubuntu.com/security/notices/USN-4742-1 fix pushed in mga8:
src:
- python-django-3.1.7-1.mga8Whiteboard:
MGA8TOO =>
(none) RPM: python3-django-3.1.7-1.mga8 Status comment:
Fixed upstream in 3.1.7 =>
(none) Advisory: ======================== Updated python-django package fixes security vulnerability: Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes to prevent web cache poisoning. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default (CVE-2021-23336). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ mga8, x64 CVE-2021-23336 https://bugs.python.org/issue42967 discusses recommendation for adherence to '&' as separator, eschewing ';' in parsed strings, which would have far-reaching consequences. No specific PoC for python-django. Test procedure at https://bugs.mageia.org/show_bug.cgi?id=17215#c5 requires django-admin, which can be found in site packages and /usr/bin. $ which django-admin /usr/bin/django-admin $ whatpack django-admin python3-django-3.1.6-1.mga8 $ django-admin startproject mysite $ ls mysite manage.py* mysite/ $ cd mysite $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK [...] Applying auth.0012_alter_user_first_name_max_length... OK Applying sessions.0001_initial... OK $ rm -rf mysite Update package. $ rpm -q python3-django python3-django-3.1.7-1.mga8 $ django-admin startproject mysite $ cd mysite $ python manage.py migrate <migration succeeded> python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). March 05, 2021 - 17:20:16 Django version 3.1.7, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Checked localhost:8000/ It reported a successfull installation with an animated picture of a rocketship. Mission accomplished. CC:
(none) =>
tarazed25 What is the rpm for M7 ???? CC:
(none) =>
herman.viaene In another bug not ready for QA. Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA8-64-OK Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update Advisory committed to SVN. CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0135.html Resolution:
(none) =>
FIXED This update also fixed CVE-2021-3281: https://www.debian.org/lts/security/2022/dla-3164 https://www.djangoproject.com/weblog/2021/feb/01/security-releases/ |