Bug 30273 - python-django new security issues CVE-2022-2834[67]
Summary: python-django new security issues CVE-2022-2834[67]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-04-11 16:08 CEST by David Walser
Modified: 2022-05-19 09:57 CEST (History)
5 users (show)

See Also:
Source RPM: python-django-3.2.12-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-11 16:08:00 CEST 
Upstream has issued an advisory today (April 11):
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

The issues are fixed upstream in 3.2.13.

Mageia 8 is also affected.
David Walser 2022-04-11 16:08:11 CEST

Status comment: (none) => Fixed upstream in 3.2.13
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-04-11 16:14:42 CEST 
Ubuntu has issued an advisory for this today (April 11):
https://ubuntu.com/security/notices/USN-5373-1
Comment 2 David Walser 2022-05-15 19:42:56 CEST 
Updated package uploaded for Mageia 8 and Cauldron by papoteur:
python3-django-3.2.13-1.mga8

from python-django-3.2.13-1.mga8.src.rpm

CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 3.2.13 => (none)
Assignee: python => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2022-05-16 12:47:30 CEST 
mga8, x86_64

Checked the core version for later comparison by creating a project as in bug 28802.
Successful installion of mysite.  Removed the whole project tree and ran the update.

$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite/
$ cd mysite
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
[...]
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
$ tree
.
├── db.sqlite3
├── manage.py
└── mysite
    ├── asgi.py
    ├── __init__.py
    ├── __pycache__
    │   ├── __init__.cpython-38.pyc
    │   ├── settings.cpython-38.pyc
    │   └── urls.cpython-38.pyc
    ├── settings.py
    ├── urls.py
    └── wsgi.py
$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...
System check identified no issues (0 silenced).
May 16, 2022 - 10:37:24
Django version 3.2.13, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

In a browser a success message was posted at localhost:8000/ with the image of a rocketship launching.  It provided usefule links to release notes and documentation.

No regressions - good enough.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-05-16 14:12:25 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-19 00:13:15 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-05-19 09:57:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0190.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.