Debian Long Term Support / LTS Security Information / 2021 / Security Information -- DLA-2651-1 python-django

Debian Security Advisory

DLA-2651-1 python-django -- LTS security update

Date Reported:

06 May 2021

Affected Packages:

python-django

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-31542.

More information:

It was discovered that there was potential directory-traversal vulnerability in Django, a popular Python-based web development framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments are rejected.

• CVE-2021-31542

For Debian 9 Stretch, these problems have been fixed in version 1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS