Package: python-django Version: 1:1.10.7-2+deb9u10 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for python-django. CVE-2021-23336[0]: | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and | before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before | 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl | and urllib.parse.parse_qs by using a vector called parameter cloaking. | When the attacker can separate query parameters using a semicolon (;), | they can cause a difference in the interpretation of the request | between the proxy (running with default configuration) and the server. | This can result in malicious requests being cached as completely safe | ones, as the proxy would usually not see the semicolon as a separator, | and therefore would not include it in a cache key of an unkeyed | parameter. Django is vulnerable because it embeds parse_qsl: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
