Bug 28395 - python-django new security issue CVE-2021-23336
Summary: python-django new security issue CVE-2021-23336
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24899
  Show dependency treegraph
 
Reported: 2021-02-20 19:13 CET by David Walser
Modified: 2022-10-31 15:16 CET (History)
6 users (show)

See Also:
Source RPM: python-django-3.1.3-1.mga8.src.rpm
CVE: CVE-2021-23336
Status comment:


Attachments

Description David Walser 2021-02-20 19:13:11 CET
Upstream has issued an advisory on February 19:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

The issue is fixed upstream in 2.1.19 and 3.1.7.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-20 19:13:35 CET

Blocks: (none) => 24899
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.1.7

Comment 1 Lewis Smith 2021-02-20 20:33:26 CET
Assigning to the Python stack group.

Assignee: bugsquad => python

Comment 2 David Walser 2021-02-26 19:28:57 CET
Ubuntu has issued an advisory for this on February 22:
https://ubuntu.com/security/notices/USN-4742-1
Comment 3 Nicolas Lécureuil 2021-02-27 23:23:16 CET
fix pushed in mga8:


src: 
    - python-django-3.1.7-1.mga8

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Assignee: python => qa-bugs
Version: Cauldron => 8

Comment 4 David Walser 2021-02-27 23:45:10 CET
RPM:
python3-django-3.1.7-1.mga8

Status comment: Fixed upstream in 3.1.7 => (none)

Comment 5 David Walser 2021-03-03 02:00:40 CET
Advisory:
========================

Updated python-django package fixes security vulnerability:

Django contains a copy of urllib.parse.parse_qsl() which was added to backport
some security fixes to prevent web cache poisoning. A further security fix has
been issued recently such that parse_qsl() no longer allows using ; as a query
parameter separator by default (CVE-2021-23336).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
Comment 6 Len Lawrence 2021-03-05 18:30:51 CET
mga8, x64

CVE-2021-23336
https://bugs.python.org/issue42967 discusses recommendation for adherence to '&' as separator, eschewing ';' in parsed strings, which would have far-reaching consequences.
No specific PoC for python-django.

Test procedure at https://bugs.mageia.org/show_bug.cgi?id=17215#c5 requires django-admin, which can be found in site packages and /usr/bin.
$ which django-admin
/usr/bin/django-admin
$ whatpack django-admin
python3-django-3.1.6-1.mga8

$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite/
$ cd mysite
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
[...]
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK

$ rm -rf mysite

Update package.
$ rpm -q python3-django
python3-django-3.1.7-1.mga8
$ django-admin startproject mysite
$ cd mysite
$ python manage.py migrate
<migration succeeded>
 python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
March 05, 2021 - 17:20:16
Django version 3.1.7, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Checked localhost:8000/
It reported a successfull installation with an animated picture of a rocketship.

Mission accomplished.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7TOO MGA8-64-OK

Comment 7 Herman Viaene 2021-03-08 15:29:38 CET
What is the rpm for M7 ????

CC: (none) => herman.viaene

Comment 8 David Walser 2021-03-08 15:44:13 CET
In another bug not ready for QA.

Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK

Comment 9 Thomas Andrews 2021-03-08 17:11:12 CET
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Aurelien Oudelet 2021-03-14 16:42:40 CET
Advisory committed to SVN.

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-23336
Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-03-14 22:22:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0135.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.