Your message dated Wed, 02 Jun 2021 15:19:05 +0000
with message-id <e1lose9-0005tz...@fasolo.debian.org>
and subject line Bug#989394: fixed in python-django 2:3.2.4-1
has caused the Debian Bug report #989394,
regarding python-django: CVE-2021-33203 & CVE-2021-33571
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
989394: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989394
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1:1.11.29-1~deb10u1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
* CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
This issue has low severity, according to the Django security
policy.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
* CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
This issue has medium severity, according to the Django security
policy.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 2:3.2.4-1
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 02 Jun 2021 16:08:13 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 989394
Changes:
python-django (2:3.2.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #989394)
.
- CVE-2021-33203: Potential directory traversal via admindocs
.
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
.
This issue has low severity, according to the Django security
policy.
.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
.
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
.
This issue has medium severity, according to the Django security
policy.
.
* Bump Standards-Version to 4.5.1.
Checksums-Sha1:
4ee1eed1a0e6fedf485170c4ebaa6f05d3bc69a6 2779 python-django_3.2.4-1.dsc
7b0875627bfd044cbfd3c9dc4b87c653a3cbe2dc 9824343
python-django_3.2.4.orig.tar.gz
f27a1a167c94f01a9091d686acb87261b45cf5b4 27032
python-django_3.2.4-1.debian.tar.xz
78698ba6396279c6d28add969aa37f805a31b571 7554
python-django_3.2.4-1_amd64.buildinfo
Checksums-Sha256:
c045b9445260288da3d6f7277c021e7bb48c00a75cb7e99c847523b7a8d637e0 2779
python-django_3.2.4-1.dsc
66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296 9824343
python-django_3.2.4.orig.tar.gz
db66b00bd8120de0d96702b9a7890d4705e9fddfc44cedddf3987d6ca45ff7c6 27032
python-django_3.2.4-1.debian.tar.xz
3df5a500a06c8134046c67998d042083a4c28a2e004e318c3009060b7918ef16 7554
python-django_3.2.4-1_amd64.buildinfo
Files:
50510e7b32ffd8e048d5da8868000399 2779 python optional python-django_3.2.4-1.dsc
2f30db9154efb8c9ed891781d29fae2a 9824343 python optional
python-django_3.2.4.orig.tar.gz
96a44ad690e88af965d761690de5f506 27032 python optional
python-django_3.2.4-1.debian.tar.xz
440686c732564cd131064c3a67ef23d6 7554 python optional
python-django_3.2.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC3oAgACgkQHpU+J9Qx
Hljl7A/+J4+TQSth0z57OKUhEKOw26Eg/waSzRcB/i/5e06DaGDGSdKz2AubYG0i
PUKei4AuK3xkXVqCTO/QZLrCl3XlI3MNGFsyo8MP0kIm8VvyX1P0yfXfT1ckUNhu
IysWW1GKF3Aj9FxuQf+ZlUwLB3OQL6ciToQL089I3BTxoXPWO3zNiuqHyCgKuuXk
PcdhaucQwe/ujYU6DZidckpxkkFaq9/C3fLyINEU/lXxsJ58N51OjYKxEPiJ4r4m
zXAKNc9ZTCgZGql3PVqF2Xqv/zcedOQsFWHnyPEwico6H825BOS39/kt2zBzo0ds
EoXwj6wstPjD30qC7W3iE0VDa0XyD75ElfXW1t/XVyqq1oQrcLtsGek2H0QZhv4l
q252jgVH0Z0glTGRDhgCvqMURrvf5mzJwRYMv3JKY+Rx1DJWNagFj/SrzxRc44SN
5z5Ui3NhAFwiDvlF64s+4nW7bKPiiVbb9asSXEVDqiXK0q2NjZ3xUhyTddWadCXm
lDp0FVnHk2vTJR/XmPn1KBK4gN0+9xGvH3yOpz3Mkr6YUcJwHb30x9Sgroj6w/uu
ZbmvtsoiALnRWXWNAfVRvZMPKisj9RxC1J6PzcA2YS7qbzHggQD5pry+smjCHSR1
cZ4Ml0HrvtwYb7TqSJn+KcKyGHYOGgZE4QOCr1D0KII4dbAxN80=
=+Oi4
-----END PGP SIGNATURE-----
--- End Message ---
