| Summary: | python-django new security issues CVE-2022-22818 and CVE-2022-23833 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, mhrambo3501, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-django-3.1.14-1.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-02-01 17:56:17 CET
David Walser
2022-02-01 17:56:28 CET
Whiteboard:
(none) =>
MGA8TOO Debian-LTS has issued an advisory for this on February 1: https://www.debian.org/lts/security/2022/dla-2906 Ubuntu has issued an advisory for this today (February 3): https://ubuntu.com/security/notices/USN-5269-1 Fedora has issued an advisory for this today (February 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/ Wally upgraded cauldron to 3.2.12 in Feb 2022.
Updated package uploaded for Mageia 8
Advisory:
========================
Updated python-django package fixes security vulnerabilities:
* The {% debug %} template tag didn't properly encode the current context posing an XSS attack vector (CVE-2022-22818).
* Passing certain inputs to multipart forms could result in an infinite loop when parsing files resulting in a denial of service (CVE-2022-23833).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
https://www.debian.org/lts/security/2022/dla-2906
========================
Updated packages in core/updates_testing:
========================
python3-django-3.2.12-1.mga8.noarch.rpm
from python-django-3.2.12-1.mga8.src.rpm
Test procedure: https://bugs.mageia.org/show_bug.cgi?id=29737#c3Status comment:
Fixed upstream in 3.2.12 =>
(none) I totally forgot (wish we could edit) that there is a dependency that will be needed. Add to the file list python3-asgiref-3.5.0-1.mga8.noarch.rpm from python-asgiref-3.5.0-1.mga8.src.rpm Updated packages in core/updates_testing: ======================== python3-django-3.2.12-1.mga8.noarch.rpm from python-django-3.2.12-1.mga8.src.rpm python3-asgiref-3.5.0-1.mga8.noarch.rpm from python-asgiref-3.5.0-1.mga8.src.rpm Add a note to the advisory that asgiref was updated for the new django. Also make sure the URL from Comment 0 is in the references, and if there's a release notes for Django 3.2, that would be good to include since we're switching branches. Updated advisory...
Updated package uploaded for Mageia 8
Advisory:
========================
Updated python-django package fixes security vulnerabilities:
* The {% debug %} template tag didn't properly encode the current context posing an XSS attack vector (CVE-2022-22818).
* Passing certain inputs to multipart forms could result in an infinite loop when parsing files resulting in a denial of service (CVE-2022-23833).
Note that the python-django update necessitated a version update to python-asgiref as well. The files are included in the file list and python-asgiref is needed in order to install python-django.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
========================
Updated packages in core/updates_testing:
========================
python3-django-3.2.12-1.mga8.noarch.rpm
from python-django-3.2.12-1.mga8.src.rpm
python3-asgiref-3.5.0-1.mga8.noarch.rpm
from python-asgiref-3.5.0-1.mga8.src.rpm
Since this update is a change from the 3.1 to the 3.2 python-django branch a link to the release notes for the 3.2 branch is included.
https://docs.djangoproject.com/en/4.0/releases/3.2/
Test procedure: https://bugs.mageia.org/show_bug.cgi?id=29737#c3
mga8, x64
Updated the packages using qarepo.
Ran Herman's tests:
$ django-admin startproject mysite
/usr/bin/django-admin:17: RemovedInDjango40Warning: django-admin.py is deprecated in favor of django-admin.
$ tree mysite
mysite
├── manage.py
└── mysite
├── asgi.py
├── __init__.py
├── settings.py
├── urls.py
└── wsgi.py
$ cd mysite
$ python manage.py migrate
Operations to perform:
Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
[...]
Applying sessions.0001_initial... OK
$ ls
db.sqlite3 manage.py* mysite/
$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...
System check identified no issues (0 silenced).
March 20, 2022 - 16:26:47
Django version 3.2.12, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
localhost:8000/ showed django and the rocketship with the Congratulations message. The three links at the bottom of the page worked OK.
In another teminal:
$ cd mysite
$ python manage.py startapp polls
$ ls polls
admin.py apps.py __init__.py migrations/ models.py tests.py views.py
$ cd polls
__init__.py is empty and the other five scripts are just stubs and when run import modules without error.
That all looks OK.Whiteboard:
(none) =>
MGA8-64-OK Validating. Updated advisory in Comment 7. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-03-21 19:23:49 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0104.html Status:
NEW =>
RESOLVED |