Assigning to Python maintainers; CC'ing NicolasL who has done recent commits of this SRPM.

CC: (none) => mageia
Assignee: bugsquad => python

Upstream has issued an advisory on May 4:
https://www.djangoproject.com/weblog/2021/may/04/security-releases/

The issue is fixed upstream in 3.1.9.

Summary: python-django new security issue CVE-2021-28658 => python-django new security issues CVE-2021-28658 and CVE-2021-31542
Status comment: Fixed upstream in 3.1.8 => Fixed upstream in 3.1.9

Upstream has issued an advisory on May 6:
https://www.djangoproject.com/weblog/2021/may/06/security-releases/

The issue is fixed upstream in 3.1.10.

Only Cauldron is affected.

Status comment: Fixed upstream in 3.1.9 => Fixed upstream in 3.1.10
Summary: python-django new security issues CVE-2021-28658 and CVE-2021-31542 => python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052

Debian-LTS has issued an advisory for the first two issues on April 9:
https://www.debian.org/lts/security/2021/dla-2622

Ubuntu has issued advisories for the first two issues on April 6 and May 4:
https://ubuntu.com/security/notices/USN-4902-1
https://ubuntu.com/security/notices/USN-4932-1

Upstream has issued an advisory on June 2:
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

The issues are fixed upstream in 3.1.12 and 3.2.4.

Ubuntu has issued an advisory for this on June 2:
https://ubuntu.com/security/notices/USN-4975-1

Status comment: Fixed upstream in 3.1.10 => Fixed upstream in 3.1.12 and 3.2.4
Summary: python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052 => python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571

python-django-3.2.4-1.mga9 uploaded for Cauldron by Stig-Ørjan.

CC: (none) => smelror
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Upstream has issued an advisory on July 1:
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

The issues are fixed upstream in 3.1.13 and 3.2.5.

Status comment: Fixed upstream in 3.1.12 and 3.2.4 => Fixed upstream in 3.1.13 and 3.2.5
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Summary: python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571 => python-django new security issues CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042

Advisory
========
Django has been updated to fix several security issues.


References
==========
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/


Files
=====

Uploaded to core/updates_testing

python3-django-3.1.13-1.mga8

from python3-django-3.1.13-1.mga8.src.rpm

Version: Cauldron => 8
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

Thanks.  Needs a real advisory with all of the CVEs and references (five upstream advisories).

mga8, x64

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Referring to bug 28395 for testing procedure.
$ rpm -q python3-django
python3-django-3.1.7-1.mga8

Created a project successfully then removed it.

Updated the package.
$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
[...]
  Applying sessions.0001_initial... OK
$ ls
db.sqlite3  manage.py*  mysite/
$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
July 14, 2021 - 19:50:34
Django version 3.1.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Checked localhost:8000/
"The install worked successfully! Congratulations!"
plus an animation of a rocketship launching.  Links to documentation, the community and a Polling App tutorial.

$ python manage.py startapp polls
$ ls polls
admin.py  apps.py  __init__.py  migrations/  models.py  tests.py  views.py

Did not get very far with this due to confusion over directory names but it looked like django was working.  It would be easy for a python coder.

Giving this the go-ahead for x64.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Validating. Advisory in Comment 9, but according to Comment 10 it is incomplete.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory
========
Django has been updated to fix several security issues.


References
==========
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2021-28658
https://nvd.nist.gov/vuln/detail/CVE-2021-31542
https://nvd.nist.gov/vuln/detail/CVE-2021-32052
https://nvd.nist.gov/vuln/detail/CVE-2021-33203
https://nvd.nist.gov/vuln/detail/CVE-2021-33571
https://nvd.nist.gov/vuln/detail/CVE-2021-35042


Files
=====

Uploaded to core/updates_testing

python3-django-3.1.13-1.mga8

from python3-django-3.1.13-1.mga8.src.rpm

Still wrong.  See Comment 0 through 8.  There are 5 upstream advisories, not just one.  The advisory should also have CVE descriptions.  There aren't too many of them to justify a generic advisory.

Advisory:
========================

Updated python-django package fixes security vulnerabilities:

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability (CVE-2021-28658).

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names (CVE-2021-31542).

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories (CVE-2021-33203)

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571)

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application (CVE-2021-35042).

python3-django is updated to 3.1.13 version to fix these security issues among other upstream bugfixes, see upstream release notes.

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28802
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33203
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33571
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042
 - https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
 - https://www.djangoproject.com/weblog/2021/may/04/security-releases/
 - https://www.djangoproject.com/weblog/2021/may/06/security-releases/
 - https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
 - https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
 - https://docs.djangoproject.com/en/dev/releases/3.1.8/
 - https://docs.djangoproject.com/en/dev/releases/3.1.9/
 - https://docs.djangoproject.com/en/dev/releases/3.1.10/
 - https://docs.djangoproject.com/en/dev/releases/3.1.11/
 - https://docs.djangoproject.com/en/dev/releases/3.1.12/
 - https://docs.djangoproject.com/en/dev/releases/3.1.13/
 - https://www.debian.org/lts/security/2021/dla-2622
 - https://ubuntu.com/security/notices/USN-4902-1
 - https://ubuntu.com/security/notices/USN-4932-1
 - https://ubuntu.com/security/notices/USN-4975-1
========================

Updated package in core/updates_testings:
========================
python3-django-3.1.13-1.mga8

from SRPM:
python3-django-3.1.13-1.mga8.src.rpm

CVE: (none) => CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042
CC: (none) => ouaurelien

Oups. Sorry: you should read python-django-3.1.13-1.mga8 as SRPM in last comment.
SVN advisory reflects this change.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0356.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED