[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2676-1] python-django security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2676-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
June 05, 2021                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 1:1.10.7-2+deb9u14
CVE IDs        : CVE-2021-33203 CVE-2021-33571
Debian Bug     : #989394

Two issues were discovered in Django, the Python-based web
development framework:

  * CVE-2021-33203: Potential directory traversal via admindocs

    Staff members could use the admindocs TemplateDetailView view to
    check the existence of arbitrary files. Additionally, if (and only
    if) the default admindocs templates have been customized by the
    developers to also expose the file contents, then not only the
    existence but also the file contents would have been exposed.

    As a mitigation, path sanitation is now applied and only files
    within the template root directories can be loaded.

    This issue has low severity, according to the Django security
    policy.

    Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
    the CodeQL Python team for the report.

  * CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
    since validators accepted leading zeros in IPv4 addresses

    URLValidator, validate_ipv4_address(), and
    validate_ipv46_address() didn't prohibit leading zeros in octal
    literals. If you used such values you could suffer from
    indeterminate SSRF, RFI, and LFI attacks.

    validate_ipv4_address() and validate_ipv46_address() validators
    were not affected on Python 3.9.5+.

    This issue has medium severity, according to the Django security
    policy.


For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u14.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC7SrkACgkQHpU+J9Qx
HlhfOxAAmBjCvWfUXv60dy2++hoDImfYP2jr5fhx965OAaHZj1B64pxwN8Le8gZR
ivEc/GpPsexkiLxyGKGzswcb/qJeRTHeu0hurpuXN2ICg2ZE8p1II3WzGaURip5I
JbOkOJ4tZdL6/KauNRAuRJpjA56yfdAl1kgavTB9KWD+f1FtuMLT88S/xPtnVBRc
nNUYv5oqkcDwfY+KfyegemEYYsyqhUbd0+g5yhjiJyCz+nI2woumfJTsS1E4Xvof
hvyOx2p4GVK2FKP4+gA/9DgGlZzZfe+7xKu+aw7iINEFidakl6kvAri7r2ew0KS2
drBn7qj5mEIbr+QbjdOWemwFy2nJpQvSmYGS86srSil2znObrJnBtNrhae3vyEqI
3QyQDlFanyNHPuf+7y8MntDBnXm1S09sEL0CGe8dn5IPpqTXfqRpfRDN1In3eKkj
BZ5P1rgVBKXlHDj2vF5SJdo6VXcMFMF1Sm8hfkbZ+JBbeXA7e8pv+0Chndd85VL1
UgNpy7DZtIQyEUTfqZbBf2yAjoxs/rUZ5eZZTg+nSLwimqhP+Vff4f6wagS+zCC6
hRbdlhAbVrRlVZa0Yqa7BY4UnIthq/5cjC1AR0KIwxHTOoR3p5g1UHFsv8+Nyx6v
FG8mbsMwqWaZX0J8hZ8JsXH5ZjhCw122G8mauEKi9BZSNFVeDXw=
=3FDW
-----END PGP SIGNATURE-----
Reply to: