MGASA-2021-0356 - Updated python-django package fixes security vulnerabilities

Publication date: 16 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0356.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-28658,
     CVE-2021-31542,
     CVE-2021-32052,
     CVE-2021-33203,
     CVE-2021-33571,
     CVE-2021-35042

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with suitably
crafted file names. Built-in upload handlers were not affected by this
vulnerability (CVE-2021-28658).

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1,
MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via
uploaded files with suitably crafted file names (CVE-2021-31542).

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with
Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the
URLField form field is used). If an application uses values with newlines in
an HTTP response, header injection can occur. Django itself is unaffected
because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential
directory traversal via django.contrib.admindocs. Staff members could use the
TemplateDetailView view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by application developers to also show file contents, then not only
the existence but also the file contents would have been exposed. In other
words, there is directory traversal outside of the template root directories
(CVE-2021-33203).

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4,
URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit
leading zero characters in octal literals. This may allow a bypass of access
control that is based on IP addresses. (validate_ipv4_address and
validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571).

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by
SQL injection if order_by is untrusted input from a client of a web application
(CVE-2021-35042).

python-django package is updated to 3.1.13 version to fix these security
issues among other upstream bugfixes, see upstream release notes.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28802
- https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
- https://www.djangoproject.com/weblog/2021/may/04/security-releases/
- https://www.djangoproject.com/weblog/2021/may/06/security-releases/
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
- https://docs.djangoproject.com/en/dev/releases/3.1.8/
- https://docs.djangoproject.com/en/dev/releases/3.1.9/
- https://docs.djangoproject.com/en/dev/releases/3.1.10/
- https://docs.djangoproject.com/en/dev/releases/3.1.11/
- https://docs.djangoproject.com/en/dev/releases/3.1.12/
- https://docs.djangoproject.com/en/dev/releases/3.1.13/
- https://www.debian.org/lts/security/2021/dla-2622
- https://ubuntu.com/security/notices/USN-4902-1
- https://ubuntu.com/security/notices/USN-4932-1
- https://ubuntu.com/security/notices/USN-4975-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042

SRPMS:
- 8/core/python-django-3.1.13-1.mga8

Mageia 2021-0356: python-django security update

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names

Summary

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability (CVE-2021-28658).
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names (CVE-2021-31542).
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories (CVE-2021-33203).
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571).
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application (CVE-2021-35042).
python-django package is updated to 3.1.13 version to fix these security issues among other upstream bugfixes, see upstream release notes.

References

- https://bugs.mageia.org/show_bug.cgi?id=28802

- https://www.djangoproject.com/weblog/2021/apr/06/security-releases/

- https://www.djangoproject.com/weblog/2021/may/04/security-releases/

- https://www.djangoproject.com/weblog/2021/may/06/security-releases/

- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

- https://docs.djangoproject.com/en/dev/releases/3.1.8/

- https://docs.djangoproject.com/en/dev/releases/3.1.9/

- https://docs.djangoproject.com/en/dev/releases/3.1.10/

- https://docs.djangoproject.com/en/dev/releases/3.1.11/

- https://docs.djangoproject.com/en/dev/releases/3.1.12/

- https://docs.djangoproject.com/en/dev/releases/3.1.13/

- https://www.debian.org/lts/security/2021/dla-2622

- https://ubuntu.com/security/notices/USN-4902-1

- https://ubuntu.com/security/notices/USN-4932-1

- https://ubuntu.com/security/notices/USN-4975-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33203

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33571

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042

Resolution

MGASA-2021-0356 - Updated python-django package fixes security vulnerabilities

SRPMS

- 8/core/python-django-3.1.13-1.mga8

Severity
Publication date: 16 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0356.html
Type: security
CVE: CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved