Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python-django: CVE-2021-3281

Related Vulnerabilities: CVE-2021-3281  

Source

Debian Bug report logs - #981562
python-django: CVE-2021-3281

version graph

Package: python-django; Maintainer for python-django is Debian Python Team <team+python@tracker.debian.org>; Source for python-django is src:python-django (PTS, buildd, popcon).

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Mon, 1 Feb 2021 11:57:02 UTC

Severity: grave

Tags: security

Found in versions 2:2.2.17-2, 1.7.11-1+deb8u10

Fixed in version python-django/2:2.2.18-1

Done: Chris Lamb <lamby@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#981562; Package python-django. (Mon, 01 Feb 2021 11:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>. (Mon, 01 Feb 2021 11:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2021-3281
Date: Mon, 01 Feb 2021 11:54:46 +0000
Package: python-django
Version: 1.7.11-1+deb8u10
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django:

CVE-2021-3281[0]

   https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

At a first glance, all of jessie, stretch, buster, bullseye, sid and
experimental are vulnerable.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3281
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3281


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Marked as found in versions 2:2.2.17-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 01 Feb 2021 12:15:02 GMT) (full text, mbox, link).

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Mon, 01 Feb 2021 12:21:03 GMT) (full text, mbox, link).

Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 01 Feb 2021 12:21:03 GMT) (full text, mbox, link).

Message #12 received at 981562-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 981562-close@bugs.debian.org
Subject: Bug#981562: fixed in python-django 2:2.2.18-1
Date: Mon, 01 Feb 2021 12:18:55 +0000
Source: python-django
Source-Version: 2:2.2.18-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 981562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Feb 2021 11:59:58 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 981562
Changes:
 python-django (2:2.2.18-1) unstable; urgency=medium
 .
   * New upstream security release:
 .
     - CVE-2021-3281: Potential directory-traversal via archive.extract().
 .
       The django.utils.archive.extract() function, used by startapp --template
       and startproject --template, allowed directory-traversal via an archive
       with absolute paths or relative paths with dot segments.
       (Closes: #981562)
 .
     <https://www.djangoproject.com/weblog/2021/feb/01/security-releases/>
 .
   * Drop 0006-Fixed-31850-Fixed-BasicExtractorTests.test_extractio.patch;
     applied upstream.
Checksums-Sha1:
 5be0eab5bc2ea4687d6b39aecc90c422fc985c9a 2779 python-django_2.2.18-1.dsc
 b0f4d5e684f70717113d79dfe44c5d8bf88a826a 9180844 python-django_2.2.18.orig.tar.gz
 62f00a124fc13312879d0440e4d1b662e947cb64 26532 python-django_2.2.18-1.debian.tar.xz
 1a2e627e3e76e8484c5024bb33c6ca1a0dd00e33 7781 python-django_2.2.18-1_amd64.buildinfo
Checksums-Sha256:
 95cb504064636be4757c71bd85b63bf43f8971136e8210fd705efa732307318c 2779 python-django_2.2.18-1.dsc
 c9c994f5e0a032cbd45089798b52e4080f4dea7241c58e3e0636c54146480bb4 9180844 python-django_2.2.18.orig.tar.gz
 a30ad38ea067f0f078c709d880aa1ca88c286e2351be84c8fcb290fc028c6fb7 26532 python-django_2.2.18-1.debian.tar.xz
 b523ac0c6aa7c8e2a815e99a197845ffd8fb1112510589d7cda03020e8bdf0eb 7781 python-django_2.2.18-1_amd64.buildinfo
Files:
 4e8cdb6b09b605433932812c5d00388b 2779 python optional python-django_2.2.18-1.dsc
 c6cf78dae9c0be5833d37be73ab63962 9180844 python optional python-django_2.2.18.orig.tar.gz
 0cd02934c79fc5288ed8cf26549fdd14 26532 python optional python-django_2.2.18-1.debian.tar.xz
 149a421f5312aca844e89be20ae042af 7781 python optional python-django_2.2.18-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAX7i8ACgkQHpU+J9Qx
Hlis/g/+OxiRxNkPBruvpzT8OvrQ4MBCKLwbgF+RAd/X7c9ALWM+zENibd+KAuC8
wJSClxXCKdhy2+iD2sl+JRWJLjIwa6K0sbOLcqEKmCdSUmSQHt00/DX62HHuoaqA
z6UkFwrbeQNdy5pO3AxcjJ4hlGeA215VV/LW92cBaJ4HT21RhZiwdEs7tb2WZCZ2
HVkDfQNuD4daoWI62JIDEWFW29Tjvwdo+y/7gTZJL6YjadVDjz5zrLoqOIl0dR5t
bMYe+Oxe1ieJJUdm0WAuk24/wN7lN6Lw7Z5JdwzLNaP13U8TwEvwowZUU/eQZ9aE
FOnkr/OddE+1m3NI5pKckCQ3JVwmxy7AJ+Jo79JVemV7KsU+zmMst2EauiL8p6Ts
sBgV1F5qaSOD1at/z15nhjU/oBQYv/RgnTnLPnc0/FuyNCWDpB6MQOlyuYbh4/Bh
amuEs5uXA2d6p3OAgAfedD3mh4mqV2BJNoTOlx46Ku92sqH6gvitUr/Rj1gkn4bW
ec53gpwVg6YNLSPwmQNRopORj6S47cUWi7X4ucwnq8WL6xgS2ZrudHwUODPKEWri
UUj7pZYPy/gBZbOEn58dBq+TO3tooZ4KqoRFJIlM7CQlvPas92xcfHuNRM3qwSv6
BSVnl0N+jGmz+fxHMwirtVxjjEJ2/ibJC3+hV1fa9A2v9xifzF0=
=WBx/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Feb 2 08:01:54 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started