<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Django: CVE-2021-28658: Potential directory-traversal via uploaded files
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Tue, 6 Apr 2021 09:54:31 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the
Django team is issuing
`Django 3.1.8 <https://docs.djangoproject.com/en/dev/releases/3.1.8/>`_,
`Django 3.0.14
<https://docs.djangoproject.com/en/dev/releases/3.0.14/>`_ and
`Django 2.2.20 <https://docs.djangoproject.com/en/dev/releases/2.2.20/>`_.
These releases address the security issue with severity "low" detailed
below. We encourage all users of Django to upgrade as soon as possible.
CVE-2021-28658: Potential directory-traversal via uploaded files
================================================================
``MultiPartParser`` allowed directory-traversal via uploaded files with
suitably crafted file names.
Built-in upload handlers were not affected by this vulnerability.
Thank you to Dennis Brinkrolf for the report.
Affected supported versions
===========================
* Django main branch
* Django 3.2 (currently at release candidate status)
* Django 3.1
* Django 3.0
* Django 2.2
Resolution
==========
Patches to resolve the issue have been applied to Django's main branch and
the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained
from the following changesets:
* On the `main branch
<https://github.com/django/django/commit/d4d800ca1addc4141e03c5440a849bb64d1582cd>`__
* On the `3.2 release branch
<https://github.com/django/django/commit/2820fd1be5dfccbf1216c3845fad8580502473e1>`__
* On the `3.1 release branch
<https://github.com/django/django/commit/cca0d98118cccf9ae0c6dcf2d6c57fc50469fbf0>`__
* On the `3.0 release branch
<https://github.com/django/django/commit/e7fba62248f604c76da4f23dcf1db4a57b0808ea>`__
* On the `2.2 release branch
<https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2>`__
The following releases have been issued:
* Django 3.1.8 (`download Django 3.1.8
<https://www.djangoproject.com/m/releases/3.1/Django-3.1.8.tar.gz>`_ |
`3.1.8 checksums
<https://www.djangoproject.com/m/pgp/Django-3.1.8.checksum.txt>`_)
* Django 3.0.14 (`download Django 3.0.14
<https://www.djangoproject.com/m/releases/3.0/Django-3.0.14.tar.gz>`_ |
`3.0.14 checksums
<https://www.djangoproject.com/m/pgp/Django-3.0.14.checksum.txt>`_)
* Django 2.2.20 (`download Django 2.2.20
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.20.tar.gz>`_ |
`2.2.20 checksums
<https://www.djangoproject.com/m/pgp/Django-2.2.20.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak:
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting
==========================================
As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Django: CVE-2021-28658: Potential directory-traversal via uploaded files Mariusz Felisiak (Apr 06)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->