Your message dated Fri, 19 Feb 2021 09:33:34 +0000 with message-id <e1ld2ai-000bm7...@fasolo.debian.org> and subject line Bug#983090: fixed in python-django 2:2.2.19-1 has caused the Debian Bug report #983090, regarding python-django: CVE-2021-23336 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u10 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2021-23336[0]: | The package python/cpython from 0 and before 3.6.13, from 3.7.0 and | before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before | 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl | and urllib.parse.parse_qs by using a vector called parameter cloaking. | When the attacker can separate query parameters using a semicolon (;), | they can cause a difference in the interpretation of the request | between the proxy (running with default configuration) and the server. | This can result in malicious requests being cached as completely safe | ones, as the proxy would usually not see the semicolon as a separator, | and therefore would not include it in a cache key of an unkeyed | parameter. Django is vulnerable because it embeds parse_qsl: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.19-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 983...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 19 Feb 2021 09:22:37 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.19-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 983090 Changes: python-django (2:2.2.19-1) unstable; urgency=medium . * New upstream security release: . - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. (Closes: #983090) . <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/> . * Refresh patches. Checksums-Sha1: 728018e909533316b33ed8e6278c792f5d87812b 2779 python-django_2.2.19-1.dsc 7aef80dd858d268cc7dc15e8f3b5a43a5252edda 9209434 python-django_2.2.19.orig.tar.gz 45405f991e272a0c695cfcd6b7f30614b36e33b5 26688 python-django_2.2.19-1.debian.tar.xz ddc31f0b82cd9ef7a33f72328c3bf2d174cb503c 7733 python-django_2.2.19-1_amd64.buildinfo Checksums-Sha256: 4649c16beea3783fa53f4b4f1eb0620f73b7276fc79899ea970ddcfe7fb362cb 2779 python-django_2.2.19-1.dsc 30c235dec87e05667597e339f194c9fed6c855bda637266ceee891bf9093da43 9209434 python-django_2.2.19.orig.tar.gz bab52b16468262f9d2d5df8d76a5509a65f5e11f1ca72485a7bd231a024f72bc 26688 python-django_2.2.19-1.debian.tar.xz 503bedca8df9aa93173ce72b2a3d130cc05a7eb6ee5c391b54b00703da6df847 7733 python-django_2.2.19-1_amd64.buildinfo Files: d1c10b445609e45c6cdd6396c8405e98 2779 python optional python-django_2.2.19-1.dsc adecf675c2af9dab8ed65246963718d4 9209434 python optional python-django_2.2.19.orig.tar.gz b91fc9d32c8ef57e92e3022a95297491 26688 python optional python-django_2.2.19-1.debian.tar.xz eb900b8b044826d643a4f0790c1f659f 7733 python optional python-django_2.2.19-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAvhCwACgkQHpU+J9Qx HliaehAAsrge8xjJucziOUNJFeEsOnB5VS0sZfOho9BpbefWJvMsacnmiG7k63GJ IuiCpq/CKb0+/5Gjv3JUcRSfrEYoU6SF1VgLs977Odlo7mFqzrXur1v/8IqyiY4X 9DtUF542MKhGgaJdthrqcPi/Ia7l/nbKKEqCQgzbXLju0hBnkusei6c/X1rkJTWV uMru/hy84+TFipadHTow/A2WciUE70QIS9j1Ph6WaGDu1azNzNVqvPytr1kGOQs8 YEzi/zLU8ooIOW+jNhnYbuO1I55QJ8efL5VSlcDX9kW33QaMdPgZt+ozLsGWJpR7 xZxDMvl0QmmNi1Vwyt035ToCsaXO4UXkYjo4JkMXy0p6HVxrv0Ui5frWmPKI1zNG wM5llDPqM554gi4/IcsGUbDohXKNDtV9EUMQXssaNTVGOFPZMpodWJ4vVnJ9CSc+ 1wyUsfUt+S8wF3DGzM7FaQLEgwFLf9cCGKNTxzxBkBoRcIyC/andxkcxy2fOaVMB NYc62ghMPHHt+NBWQDABoN/fF02I0O3Kcx6kNjbTXo0fGAy5iGKBwgDCbrgbLIvT +hDnJdjq4XGxIyrQqXzqjuUsJHljN6cn5kxksMnf7IBJhr9owAHvDLI2k13jPKOi Am/ubTWSQEW0g4oshQtT1ZpzN/XRspPsuBgxvsA56wqmj+gFiLY= =7+Rl -----END PGP SIGNATURE-----
--- End Message ---
