Bug 30603

Summary: python-django new security issues CVE-2022-34265 and CVE-2022-36359
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, smelror, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-django-3.2.13-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-07-04 20:40:18 CEST 
Upstream has issued an advisory today (July 4):
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

The issue is fixed upstream in 3.2.14.

Mageia 8 is also affected.
David Walser 2022-07-04 20:40:36 CEST

Assignee: bugsquad => python
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.2.14

Comment 1 David Walser 2022-07-04 20:47:07 CEST 
Ubuntu has issued an advisory for this today (July 4):
https://ubuntu.com/security/notices/USN-5501-1
Comment 2 David Walser 2022-07-05 14:39:48 CEST 
python-django-3.2.14-1.mga9 uploaded for Cauldron by Stig-Ørjan.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => smelror

Comment 3 David Walser 2022-08-03 17:04:36 CEST 
Upstream has issued an advisory today (August 3):
https://www.djangoproject.com/weblog/2022/aug/03/security-releases/

The issue is fixed upstream in 3.2.15.

Mageia 8 is also affected.

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
Summary: python-django new security issue CVE-2022-34265 => python-django new security issues CVE-2022-34265 and CVE-2022-36359
Status comment: Fixed upstream in 3.2.14 => Fixed upstream in 3.2.15

Comment 4 Stig-Ørjan Smelror 2022-08-03 20:57:28 CEST 
Cauldron has been updated to version 3.2.15
Comment 5 Stig-Ørjan Smelror 2022-08-03 21:01:22 CEST 
Advisory
========
Python-django has been updated to fix 2 security issues

CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.


References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-34265
https://nvd.nist.gov/vuln/detail/CVE-2022-36359
https://www.djangoproject.com/weblog/2022/aug/03/security-releases/


Files
=====

Uploaded to core/updates_testing

python-django-3.2.15-1.mga8

from python-django-3.2.15-1.mga8.src.rpm

Version: Cauldron => 8
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 6 David Walser 2022-08-03 23:18:59 CEST 
Thanks.  The built package is actually called python3-django.

Status comment: Fixed upstream in 3.2.15 => (none)

Comment 7 Stig-Ørjan Smelror 2022-08-04 05:31:18 CEST 
Advisory
========
Python-django has been updated to fix 2 security issues

CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.


References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-34265
https://nvd.nist.gov/vuln/detail/CVE-2022-36359
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
https://www.djangoproject.com/weblog/2022/aug/03/security-releases/


Files
=====

Uploaded to core/updates_testing

python3-django-3.2.15-1.mga8

from python-django-3.2.15-1.mga8.src.rpm
Comment 8 David Walser 2022-08-05 18:29:16 CEST 
(In reply to David Walser from comment #3)
> Upstream has issued an advisory today (August 3):
> https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
> 
> The issue is fixed upstream in 3.2.15.
> 
> Mageia 8 is also affected.

Ubuntu has issued an advisory for this on August 4:
https://ubuntu.com/security/notices/USN-5549-1
Comment 9 Len Lawrence 2022-08-08 13:32:01 CEST 
Mageia8, x86_64
Followed Herman's lead in this as in bug 29737.
Removed the former mysite directory and ran the same commands as before with identical results, so no regressions for python3.

$ django-admin startproject mysite
$ python manage.py migrate
$ python manage.py runserver

The server reported success at localhost:8000/ with the cute rocket icon and link to documentation.
Moved to another terminal:
$ python manage.py startapp polls

Noted the same stub scripts in  the polls directory.
Stopped the server with Control-C.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 10 Thomas Andrews 2022-08-09 14:23:28 CEST 
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-12 21:56:00 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2022-08-13 04:33:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0281.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED