Upstream has issued an advisory today (February 1): https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ The issues are fixed upstream in 3.2.12. 3.1.x is no longer supported. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.2.12
Debian-LTS has issued an advisory for this on February 1: https://www.debian.org/lts/security/2022/dla-2906
Ubuntu has issued an advisory for this today (February 3): https://ubuntu.com/security/notices/USN-5269-1
Fedora has issued an advisory for this today (February 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
Wally upgraded cauldron to 3.2.12 in Feb 2022. Updated package uploaded for Mageia 8 Advisory: ======================== Updated python-django package fixes security vulnerabilities: * The {% debug %} template tag didn't properly encode the current context posing an XSS attack vector (CVE-2022-22818). * Passing certain inputs to multipart forms could result in an infinite loop when parsing files resulting in a denial of service (CVE-2022-23833). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833 https://www.debian.org/lts/security/2022/dla-2906 ======================== Updated packages in core/updates_testing: ======================== python3-django-3.2.12-1.mga8.noarch.rpm from python-django-3.2.12-1.mga8.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=29737#c3
Status comment: Fixed upstream in 3.2.12 => (none)Assignee: python => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8Keywords: (none) => has_procedureCC: (none) => mhrambo3501
I totally forgot (wish we could edit) that there is a dependency that will be needed. Add to the file list python3-asgiref-3.5.0-1.mga8.noarch.rpm from python-asgiref-3.5.0-1.mga8.src.rpm Updated packages in core/updates_testing: ======================== python3-django-3.2.12-1.mga8.noarch.rpm from python-django-3.2.12-1.mga8.src.rpm python3-asgiref-3.5.0-1.mga8.noarch.rpm from python-asgiref-3.5.0-1.mga8.src.rpm
Add a note to the advisory that asgiref was updated for the new django. Also make sure the URL from Comment 0 is in the references, and if there's a release notes for Django 3.2, that would be good to include since we're switching branches.
Updated advisory... Updated package uploaded for Mageia 8 Advisory: ======================== Updated python-django package fixes security vulnerabilities: * The {% debug %} template tag didn't properly encode the current context posing an XSS attack vector (CVE-2022-22818). * Passing certain inputs to multipart forms could result in an infinite loop when parsing files resulting in a denial of service (CVE-2022-23833). Note that the python-django update necessitated a version update to python-asgiref as well. The files are included in the file list and python-asgiref is needed in order to install python-django. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833 https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ ======================== Updated packages in core/updates_testing: ======================== python3-django-3.2.12-1.mga8.noarch.rpm from python-django-3.2.12-1.mga8.src.rpm python3-asgiref-3.5.0-1.mga8.noarch.rpm from python-asgiref-3.5.0-1.mga8.src.rpm Since this update is a change from the 3.1 to the 3.2 python-django branch a link to the release notes for the 3.2 branch is included. https://docs.djangoproject.com/en/4.0/releases/3.2/ Test procedure: https://bugs.mageia.org/show_bug.cgi?id=29737#c3
mga8, x64 Updated the packages using qarepo. Ran Herman's tests: $ django-admin startproject mysite /usr/bin/django-admin:17: RemovedInDjango40Warning: django-admin.py is deprecated in favor of django-admin. $ tree mysite mysite ├── manage.py └── mysite ├── asgi.py ├── __init__.py ├── settings.py ├── urls.py └── wsgi.py $ cd mysite $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK [...] Applying sessions.0001_initial... OK $ ls db.sqlite3 manage.py* mysite/ $ python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). March 20, 2022 - 16:26:47 Django version 3.2.12, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. localhost:8000/ showed django and the rocketship with the Congratulations message. The three links at the bottom of the page worked OK. In another teminal: $ cd mysite $ python manage.py startapp polls $ ls polls admin.py apps.py __init__.py migrations/ models.py tests.py views.py $ cd polls __init__.py is empty and the other five scripts are just stubs and when run import modules without error. That all looks OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Updated advisory in Comment 7.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0104.html
Status: NEW => RESOLVEDResolution: (none) => FIXED