Debian Bug report logs -
#988136
python-django: CVE-2021-32052
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Thu, 6 May 2021 12:03:01 UTC
Severity: grave
Tags: security
Found in version 1:1.10.7-2+deb9u13
Fixed in versions python-django/2:2.2.22-1, python-django/2:3.2.2-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#988136; Package python-django.
(Thu, 06 May 2021 12:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Thu, 06 May 2021 12:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u13
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2021-32052: Header injection possibility since URLValidator
accepted newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If
you used values with newlines in HTTP response, you could suffer from
header injection attacks. Django itself wasn't vulnerable because
HttpResponse prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently
removes newlines and tabs on Python 3.9.5+, so the possibility of
newlines entering your data only existed if you are using this
validator outside of the form fields.
This issue was introduced by the bpo-43882 fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Thu, 06 May 2021 15:06:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Thu, 06 May 2021 15:06:03 GMT) (full text, mbox, link).
Message #10 received at 988136-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.22-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 May 2021 15:52:24 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.22-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988136
Changes:
python-django (2:2.2.22-1) unstable; urgency=medium
.
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
Checksums-Sha1:
3363329bcb295bd6dc28bb73e9b059e31546e6cb 2779 python-django_2.2.22-1.dsc
5bdc7480887a21a335f4dda5d406e0303138825f 9182392 python-django_2.2.22.orig.tar.gz
78c0b707df3b33184461767f8435db53a7e4ce0b 26844 python-django_2.2.22-1.debian.tar.xz
f57bdc87ae2793a572236c9483807d1fa34aa7a7 7732 python-django_2.2.22-1_amd64.buildinfo
Checksums-Sha256:
75defb32b9ffaa29c380dfb39542456b2b46a4e173a628f2165e36c6f1b467c6 2779 python-django_2.2.22-1.dsc
db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060 9182392 python-django_2.2.22.orig.tar.gz
c34aca4e670f5f01539626936fac8320e7fadb7871ef5df83e6779375b6a7c9e 26844 python-django_2.2.22-1.debian.tar.xz
8607193af2d7b5c111bafc6231d730cd42b51b3ace56b86e9230b04248064e08 7732 python-django_2.2.22-1_amd64.buildinfo
Files:
b7166fbe2690098651bd3664efb4dc90 2779 python optional python-django_2.2.22-1.dsc
dca447b605dcabd924ac7ba17680cf73 9182392 python optional python-django_2.2.22.orig.tar.gz
b401eeb6680d80e8b06db74f24314738 26844 python optional python-django_2.2.22-1.debian.tar.xz
91ae0eb04e0be8e7fd4a9eacb09d0eeb 7732 python optional python-django_2.2.22-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCUA4QACgkQHpU+J9Qx
Hliy2g//WtVc4WESlMtIyeJLleMRNtmmUAyitZzxx7nWH+D4vbGKvGaR6wdzvJMs
7sb06go0BbHBl9N+5NeBet2dhjwQu94V8Z1wAMKGFIOZSUVutuucYZTqOy0hjgdN
J9QHg/zRmtfZeIPBh7B21wDilBVlDm6KZ0rsXa8jwkyI8VshZIRCx0PW89HYoCgu
39tAnyYdD26HaTY5KOw8Q+0nEocc2rAKsGib7wX5SoUqzLRf8nBz4FHwrS0EFTyj
ANmP1h0TAxomt4+2k2kjXC+e7uAQN4Uu8lhKbWdHYCht3qze8ZSBW33DiZjtUZzc
wl4Xcjobec4guQc7yFYggqjjOVlnrbCXySNNqK8TCl4DqjpUUX6ZrDMK2nqnuRaV
slUYNd2DvqvBlyHjXTTknzb7PPES7wiazdHtQD0YUzojKntrZ/+cbjGJEAxdqMnC
Nv8KhjIYimKFigKWH8gM9H0XEmkHQlgy0l1O1Z47A9PkK7c6WtVVBZMxpfdxGOk9
n5LhmRrpCVIxD7KuzhB5tQs5gAMHu1dD6eaOWMeu7XLjDxxN3wIjlnbcNzhEkkjc
fQk1ZBRN8/x2XAbqqulr33AhvrXTho95z5jY891OGauJKqTJFJKIzI+K0hIAQHVJ
HYgDlbNVGNRa0bDJ49z805tmVvTE5y/ua3nHteHrHi6dP3+RLBg=
=jiVc
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Thu, 06 May 2021 15:06:05 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Thu, 06 May 2021 15:06:05 GMT) (full text, mbox, link).
Message #15 received at 988136-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2.2-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 May 2021 13:04:03 +0100
Source: python-django
Architecture: source
Version: 2:3.2.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988136
Changes:
python-django (2:3.2.2-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+. (Closes: #988136)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/06/security-releases/>
Checksums-Sha1:
dcc9f40173a38c5489cd21135be30d1334042a86 2779 python-django_3.2.2-1.dsc
67932014e89b3388eb6df61619ce65ebe49cd620 9796920 python-django_3.2.2.orig.tar.gz
43e2116ef147e1004c7cbd6791487638ef009bff 26564 python-django_3.2.2-1.debian.tar.xz
3ba9531b1370520920abaab087621392fc0acf71 12983 python-django_3.2.2-1_amd64.buildinfo
Checksums-Sha256:
d0bfc2da53731fb857b370419bda7e8fdff74364654c5199cdf7a546c7354207 2779 python-django_3.2.2-1.dsc
0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d 9796920 python-django_3.2.2.orig.tar.gz
60b1b8207f804aa8a8d4d080809e0eced20449af247903a999b7431b560bb41c 26564 python-django_3.2.2-1.debian.tar.xz
7b3e20d42577624a3f084fe2a2b1377f01accc5a3d5534bff8e1634c17824d7f 12983 python-django_3.2.2-1_amd64.buildinfo
Files:
19cace1a83a6e5ee585e83da80a70664 2779 python optional python-django_3.2.2-1.dsc
43784c090a8805605e3d0b768cd21cb2 9796920 python optional python-django_3.2.2.orig.tar.gz
0b777794d6a3dd26d26ab65223742230 26564 python optional python-django_3.2.2-1.debian.tar.xz
072af64e2cec83453fa7c8ad2d3dfb98 12983 python optional python-django_3.2.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCUAgoACgkQHpU+J9Qx
HljxbhAAuUI2gDXyT/VVGekE5cKt2y43Xrz33+QNsXi7QZlcz5NaqzL3T+c/1+JI
+nFTQ/BG9L9uNjmMngx9WoNJxAFLl8NJuZQY3OxY9WHSa5htTiDSlKXX9dPOFrME
RoFAe5CMJuqwiNrowj4yeuWcUJ1VqZMf0QUO20b95bzJV1h6w//UarnjxLPXVQi3
w/7DYDOFKHbPgu8PmGjP6gLzVXTPQbQD6+xo6N4ravljsD0XRARo4HKlFph8MSUZ
4s2ONGUx2BKVFDMv0ufketyBVmGVT1XWfsbA5lGW/WaB7He95r7zjtWfsfahQNLK
+s9TEFvBGVKtday6V1OiqZYq6uHXAbTXmou74R8PbolJg2VALMUH6kky2ZBeAndn
sdo/6p00brJkUmkOT45F+SrIAWc1DqXTE1TkNQqVGb/0RL04teoHdW6kEtBMknRs
bX0bSh4I7D2vEVVQshhXz1iUlWcFAhIBsXOHjwMDxMW8lvDQD+iN/c9/h9jwwDu3
LkRDz6SIoGLq2nPEYvcRVw3QjMaKQiw4vkDTbTtH98Ue+ActH2hDQT5MchfBniTu
TRO+7bByNS6TtIwT/VZSekNtTdY9WsaZz8X0ST2pdhMwy1e+qdYytU20u80gK2OR
r9S6IqTGGNVublULd/VK4ALaY/zd7oWo9svy+RH/ZohFhbRrZzk=
=ujnY
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 7 08:08:37 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon