[SECURITY] [DLA 2569-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2569-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Fri, 19 Feb 2021 11:24:07 -0500 (EST)
Message-id: <[🔎] 161375176994.1354095.9134458635295297664@tinycat.chris-lamb.co.uk>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2569-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 19, 2021                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 1:1.10.7-2+deb9u11
CVE ID         : CVE-2021-23336
Debian Bug     : #983090

It was discovered that there was a web cache poisoning attack in
Django, a popular Python-based web development framework.

This was caused by the unsafe handling of ";" characters in Python's
urllib.parse.parse_qsl method which had been backported to Django's
codebase to fix some other security issues in the past.

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u11.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAv5dgACgkQHpU+J9Qx
HljAkhAAufqE1DWo2miWN5JEaJzLhYT7XfjNRKZNFwoYyI+Kpruf9NP4nhSW3NMQ
YjH7Dks7ucvkQwChOZ54Jq/ulHqwPfMrEKPx+dAVMNBC2uvljEb0kSVI697u+/oh
bg0+HnXc3xJdlB1kXnsxgA2wpCrNZw4Bo5H3Adc8MrnBmF9fc7ujBzAaajwVhmoj
t97jy0axt3TPTaUs6TCrnOuJLt7N9T/XEjKcOVMk7y7GSJzty9NmW1GLtnf1AktE
RIP/A9mScuCRZFwwtwvFmXGm8YXGf0Zl8lKSUjPiavyck1AmF8goEjnU+7ssJfaI
awlqLCzS7ySz6fxRiFEqcQwCoSrM82jnV+na/Z4vZPsUpfQKxroYtPQVHZTqwhFh
HxsdeuE/+yCBa8qvixt+ZEDV8KQpAdk9fE0gA2RMUbAHFNfP5nVOv5RH6u+JBHZa
77yDfBwfsZogjNQ2gqLial4HY06Fy5UtWZlZxkaEy9wDKfmDz8Xs4V3Y0OczFb9I
Ih7MbBVVnFnwKPeX1Oh9JpTLlgSJoRHrjK2KQdYindxb2HK7j4tcl283UV0sSCPU
+n6NvYa5OtRKob2PvNDspRud8xOz8TFxZwU2Ouvxv2pFqwpO6AWOEeRpMsljkUXx
/gq6rW3VZKygGSoQOoCEk6Z3KhJjrrjqalpmOyjc4DGJO9phJoE=
=5MRy
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2568-1] bind9 security update
Next by Date: [SECURITY] [DLA 2570-1] screen security update
Previous by thread: [SECURITY] [DLA 2568-1] bind9 security update
Next by thread: [SECURITY] [DLA 2570-1] screen security update
Index(es):
- Date
- Thread