Upstream has issued an advisory on February 19: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ The issue is fixed upstream in 2.1.19 and 3.1.7. Mageia 7 and Mageia 8 are also affected.
Blocks: (none) => 24899Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.1.7
Assigning to the Python stack group.
Assignee: bugsquad => python
Ubuntu has issued an advisory for this on February 22: https://ubuntu.com/security/notices/USN-4742-1
fix pushed in mga8: src: - python-django-3.1.7-1.mga8
Whiteboard: MGA8TOO => (none)CC: (none) => mageiaAssignee: python => qa-bugsVersion: Cauldron => 8
RPM: python3-django-3.1.7-1.mga8
Status comment: Fixed upstream in 3.1.7 => (none)
Advisory: ======================== Updated python-django package fixes security vulnerability: Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes to prevent web cache poisoning. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default (CVE-2021-23336). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
mga8, x64 CVE-2021-23336 https://bugs.python.org/issue42967 discusses recommendation for adherence to '&' as separator, eschewing ';' in parsed strings, which would have far-reaching consequences. No specific PoC for python-django. Test procedure at https://bugs.mageia.org/show_bug.cgi?id=17215#c5 requires django-admin, which can be found in site packages and /usr/bin. $ which django-admin /usr/bin/django-admin $ whatpack django-admin python3-django-3.1.6-1.mga8 $ django-admin startproject mysite $ ls mysite manage.py* mysite/ $ cd mysite $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK [...] Applying auth.0012_alter_user_first_name_max_length... OK Applying sessions.0001_initial... OK $ rm -rf mysite Update package. $ rpm -q python3-django python3-django-3.1.7-1.mga8 $ django-admin startproject mysite $ cd mysite $ python manage.py migrate <migration succeeded> python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). March 05, 2021 - 17:20:16 Django version 3.1.7, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Checked localhost:8000/ It reported a successfull installation with an animated picture of a rocketship. Mission accomplished.
CC: (none) => tarazed25Whiteboard: (none) => MGA7TOO MGA8-64-OK
What is the rpm for M7 ????
CC: (none) => herman.viaene
In another bug not ready for QA.
Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2021-23336Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0135.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2021-3281: https://www.debian.org/lts/security/2022/dla-3164 https://www.djangoproject.com/weblog/2021/feb/01/security-releases/