Bug 29843

Summary: python-django new security issues CVE-2021-4511[56] and CVE-2021-45452
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, python, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-django-3.1.14-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-04 18:52:36 CET 
Upstream has issued an advisory today (January 4):
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/

The issue is fixed upstream in 3.2.11.  3.1.x is no longer supported.

Mageia 8 is also affected.
David Walser 2022-01-04 18:52:48 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.2.11

Comment 1 Nicolas Lécureuil 2022-01-04 21:20:27 CET 
New version pushed in mga9.

Fixed version in mga8:

src:
    - python-django-3.1.14-1.1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 3.2.11 => (none)
Assignee: python => qa-bugs
CC: (none) => mageia, python
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-01-04 21:33:23 CET 
RPM:
python3-django-3.1.14-1.1.mga8
Comment 3 David Walser 2022-01-05 16:29:28 CET 
Ubuntu has issued an advisory for this today (January 5):
https://ubuntu.com/security/notices/USN-5204-1
Comment 4 Herman Viaene 2022-01-07 14:54:46 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues:
Repeating tests as in bug 29737 Comment 3
$ django-admin startproject mysite

$ ls mysite
manage.py*  mysite/

$ cd mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK

$ ls
db.sqlite3  manage.py*  mysite/

$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
January 07, 2022 - 13:47:12
Django version 3.1.14, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.


Checked localhost:8000/
"The install worked successfully! Congratulations!"
plus an animation of a rocketship launching.  Links to documentation, the community
Then on another tab in Konsole:
$  python manage.py startapp polls
$ ls polls
admin.py  apps.py  __init__.py  migrations/  models.py  tests.py  views.py

All looks good.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-01-07 17:19:53 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-11 01:09:21 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-01-11 08:14:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0011.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED