| Summary: | python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, smelror, sysadmin-bugs, tarazed25, timothysykestss |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-django-3.1.7-1.mga8.src.rpm | CVE: | CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 24899 | ||
|
Description
David Walser
2021-04-18 22:36:35 CEST
David Walser
2021-04-18 22:37:02 CEST
Blocks:
(none) =>
24899 Assigning to Python maintainers; CC'ing NicolasL who has done recent commits of this SRPM. CC:
(none) =>
mageia Upstream has issued an advisory on May 4: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ The issue is fixed upstream in 3.1.9. Summary:
python-django new security issue CVE-2021-28658 =>
python-django new security issues CVE-2021-28658 and CVE-2021-31542 Upstream has issued an advisory on May 6: https://www.djangoproject.com/weblog/2021/may/06/security-releases/ The issue is fixed upstream in 3.1.10. Only Cauldron is affected. Status comment:
Fixed upstream in 3.1.9 =>
Fixed upstream in 3.1.10 Debian-LTS has issued an advisory for the first two issues on April 9: https://www.debian.org/lts/security/2021/dla-2622 Ubuntu has issued advisories for the first two issues on April 6 and May 4: https://ubuntu.com/security/notices/USN-4902-1 https://ubuntu.com/security/notices/USN-4932-1 Upstream has issued an advisory on June 2: https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ The issues are fixed upstream in 3.1.12 and 3.2.4. Ubuntu has issued an advisory for this on June 2: https://ubuntu.com/security/notices/USN-4975-1 Status comment:
Fixed upstream in 3.1.10 =>
Fixed upstream in 3.1.12 and 3.2.4 python-django-3.2.4-1.mga9 uploaded for Cauldron by Stig-Ørjan. CC:
(none) =>
smelror Upstream has issued an advisory on July 1: https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ The issues are fixed upstream in 3.1.13 and 3.2.5. Status comment:
Fixed upstream in 3.1.12 and 3.2.4 =>
Fixed upstream in 3.1.13 and 3.2.5 Advisory ======== Django has been updated to fix several security issues. References ========== https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ Files ===== Uploaded to core/updates_testing python3-django-3.1.13-1.mga8 from python3-django-3.1.13-1.mga8.src.rpm Version:
Cauldron =>
8 Thanks. Needs a real advisory with all of the CVEs and references (five upstream advisories).
David Walser
2021-07-04 11:11:31 CEST
Status comment:
Fixed upstream in 3.1.13 and 3.2.5 =>
(none) mga8, x64 CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Referring to bug 28395 for testing procedure. $ rpm -q python3-django python3-django-3.1.7-1.mga8 Created a project successfully then removed it. Updated the package. $ django-admin startproject mysite $ ls mysite manage.py* mysite/ $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK [...] Applying sessions.0001_initial... OK $ ls db.sqlite3 manage.py* mysite/ $ python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). July 14, 2021 - 19:50:34 Django version 3.1.13, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Checked localhost:8000/ "The install worked successfully! Congratulations!" plus an animation of a rocketship launching. Links to documentation, the community and a Polling App tutorial. $ python manage.py startapp polls $ ls polls admin.py apps.py __init__.py migrations/ models.py tests.py views.py Did not get very far with this due to confusion over directory names but it looked like django was working. It would be easy for a python coder. Giving this the go-ahead for x64. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 9, but according to Comment 10 it is incomplete. Keywords:
(none) =>
validated_update Advisory ======== Django has been updated to fix several security issues. References ========== https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ https://nvd.nist.gov/vuln/detail/CVE-2021-28658 https://nvd.nist.gov/vuln/detail/CVE-2021-31542 https://nvd.nist.gov/vuln/detail/CVE-2021-32052 https://nvd.nist.gov/vuln/detail/CVE-2021-33203 https://nvd.nist.gov/vuln/detail/CVE-2021-33571 https://nvd.nist.gov/vuln/detail/CVE-2021-35042 Files ===== Uploaded to core/updates_testing python3-django-3.1.13-1.mga8 from python3-django-3.1.13-1.mga8.src.rpm Still wrong. See Comment 0 through 8. There are 5 upstream advisories, not just one. The advisory should also have CVE descriptions. There aren't too many of them to justify a generic advisory. Advisory: ======================== Updated python-django package fixes security vulnerabilities: In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability (CVE-2021-28658). In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names (CVE-2021-31542). In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052). Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories (CVE-2021-33203) In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571) Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application (CVE-2021-35042). python3-django is updated to 3.1.13 version to fix these security issues among other upstream bugfixes, see upstream release notes. References: - https://bugs.mageia.org/show_bug.cgi?id=28802 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33203 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33571 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042 - https://www.djangoproject.com/weblog/2021/apr/06/security-releases/ - https://www.djangoproject.com/weblog/2021/may/04/security-releases/ - https://www.djangoproject.com/weblog/2021/may/06/security-releases/ - https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ - https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ - https://docs.djangoproject.com/en/dev/releases/3.1.8/ - https://docs.djangoproject.com/en/dev/releases/3.1.9/ - https://docs.djangoproject.com/en/dev/releases/3.1.10/ - https://docs.djangoproject.com/en/dev/releases/3.1.11/ - https://docs.djangoproject.com/en/dev/releases/3.1.12/ - https://docs.djangoproject.com/en/dev/releases/3.1.13/ - https://www.debian.org/lts/security/2021/dla-2622 - https://ubuntu.com/security/notices/USN-4902-1 - https://ubuntu.com/security/notices/USN-4932-1 - https://ubuntu.com/security/notices/USN-4975-1 ======================== Updated package in core/updates_testings: ======================== python3-django-3.1.13-1.mga8 from SRPM: python3-django-3.1.13-1.mga8.src.rpm CVE:
(none) =>
CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042 Oups. Sorry: you should read python-django-3.1.13-1.mga8 as SRPM in last comment. SVN advisory reflects this change.
Aurelien Oudelet
2021-07-15 22:19:51 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0356.html Status:
NEW =>
RESOLVED |