Debian Bug report logs -
#988053
python-django: CVE-2021-31542
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 4 May 2021 11:15:02 UTC
Severity: grave
Tags: security
Found in versions 2:2.2.20-1, 1:1.10.7-2+deb9u12
Fixed in versions python-django/2:3.2.1-1, python-django/2:2.2.21-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#988053; Package python-django.
(Tue, 04 May 2021 11:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Tue, 04 May 2021 11:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u12
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2021-31542[0][1]:
Potential directory-traversal via uploaded files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542
[1] https://www.djangoproject.com/weblog/2021/may/04/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 May 2021 12:21:04 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 May 2021 12:21:04 GMT) (full text, mbox, link).
Message #10 received at 988053-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2.1-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988053@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 May 2021 12:59:07 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988053
Changes:
python-django (2:3.2.1-1) experimental; urgency=medium
.
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
* Refresh patches.
Checksums-Sha1:
4e9aceb3f35ba90ca8d72d0b54089a23929e2c76 2779 python-django_3.2.1-1.dsc
cd6f18967e13a6e67dbee4713116aab9cb348865 9820723 python-django_3.2.1.orig.tar.gz
6b5fc693f86fa6dd63c320af54bfa4b7da5c1cb9 26504 python-django_3.2.1-1.debian.tar.xz
895958e9df418436ba1198f50e7e52ec90760185 7560 python-django_3.2.1-1_amd64.buildinfo
Checksums-Sha256:
76d9149f9586360d67561e5cd18460d60f6417b3949b10e712e4b0d308d294ea 2779 python-django_3.2.1-1.dsc
95c13c750f1f214abadec92b82c2768a5e795e6c2ebd0b4126f895ce9efffcdd 9820723 python-django_3.2.1.orig.tar.gz
e7de92163a5dfe7abf81c3de80d59f8effa5455ebbfda16d995a764d717791e8 26504 python-django_3.2.1-1.debian.tar.xz
a58113abb78c7bddf49aac771dd582b624741279064c398af43a24799bb5d7ad 7560 python-django_3.2.1-1_amd64.buildinfo
Files:
5fb051d40043053c780a3234d4eed0d1 2779 python optional python-django_3.2.1-1.dsc
0ded0d3408c38f4a5cff2128f5a9c4ba 9820723 python optional python-django_3.2.1.orig.tar.gz
4e9b49570166af2a2cd26a1460e28b7b 26504 python optional python-django_3.2.1-1.debian.tar.xz
22059cd19d6dfd1deb6653f4cebb004a 7560 python optional python-django_3.2.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCROA8ACgkQHpU+J9Qx
HljunBAAo068DdgwR+39OCN2B5im9KSSwPz4T5nzQEfHaxVDW5o3kNsjQdE8qhiL
jF4+AyJkx6NKJQoSoYBIS1pN6NIxM8znhYXTdzobGaCKLLL8/Ja/cQuy5GqMDiNf
C7U+KqDL5IA13vBZln1VuO66pNvUkVLSZYQz1K+ki8wDOPha9HUOWmXN+j349RgX
jKcNmlAVwZufkTDaDAezExdQbv8bloP+i3/4zOZ2nU13og+/p9Z+dEaAvCQ/gC/p
OXxhceQzTYG2pBDWXsvZ+Q1Fqn09hizaBDWOiIfbn6dBdLetNLDJPGncNC7NafYL
3EYob/dmS6+7C+najdCNdGL4g8XT6CVvQ+4jKhO3RISDpU9Agfy37xI32Lvs0qdf
Z6CoTOmEYPQ9kQnnOHxnlby0QigiSczUlphW99ueU9Y3Rj2hZkrwICeD1NdMM9e+
5rkjell4T2xHlhpsk4dyWLUvBmCLGSL2pAT7oYlrV5rbyyc0kkCNpfwNJQOCVtKW
IN0k6VmYNuPesWfjNy8rfUG+aom5Up7POuHSA9GTH6x877KsjurLtH0ZzKndNZ65
lp5wJVdU8TXsVXBKSV4uBLHN0Ck9QfJm4TJw7bkLowrCg09UuDl0MviOYDKv1VrS
os1vV/P/iyPFV1kErGSZ0pWz9VJ2SlHD1uzKo6qyOAEsjHMOUoU=
=keAL
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 May 2021 13:51:09 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 May 2021 13:51:09 GMT) (full text, mbox, link).
Message #15 received at 988053-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.21-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988053@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 May 2021 13:07:54 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 988053
Changes:
python-django (2:2.2.21-1) unstable; urgency=medium
.
* New upstream security release:
- CVE-2021-31542: Potential directory-traversal via uploaded files.
(Closes: #988053)
- Full release notes:
<https://www.djangoproject.com/weblog/2021/may/04/security-releases/>
Checksums-Sha1:
0cd67bb33ac679d085b46a5d1a74c1c1280e340d 2779 python-django_2.2.21-1.dsc
203abbd4ab8dd336a5e1cfcacf2e481ac5a29979 9209871 python-django_2.2.21.orig.tar.gz
76b3a1f258c43bc6339b09c18332bf14d8055480 26800 python-django_2.2.21-1.debian.tar.xz
8338375743e9345912cccdd91b86d782c8bc6512 7732 python-django_2.2.21-1_amd64.buildinfo
Checksums-Sha256:
816cbf47c82e463ab6cfb9cb7cb0ad8e4aef65fcc449fc3041bb7fe3460571c7 2779 python-django_2.2.21-1.dsc
7460cfe3781d36d1625230267dad255deb33e9229e41f21e32b33b9d536d20cd 9209871 python-django_2.2.21.orig.tar.gz
5b5b1797ac6a24c0168c08d95cb27d0a5f489270ba21db6faba429cf798024c5 26800 python-django_2.2.21-1.debian.tar.xz
38c8ea27680d7e78063d027c0041ffd801cd5c6621a70a2e1bd69055e001409c 7732 python-django_2.2.21-1_amd64.buildinfo
Files:
2e1a5e138ba48f356bf4da86feb8bfcf 2779 python optional python-django_2.2.21-1.dsc
fa2da272f5103dfe56c4ddc6d43037ca 9209871 python optional python-django_2.2.21.orig.tar.gz
fee5a1476cb0f38f023338c7c3d4d5e0 26800 python optional python-django_2.2.21-1.debian.tar.xz
b5657ba6494244b2e4d4b3744b4273a4 7732 python optional python-django_2.2.21-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCRTT4ACgkQHpU+J9Qx
HliPQA/+Jan1XSKar7AvxUdFTVM8P0klmKjR4vGW+wrkMsOlRSltr8qphojimx87
9729h5RDV1SvhkXqcNxr9m4nNxEBcNsKYfIWbTAhE28FbJ+PclK+MCdTGFbk7wKA
H6ERAvoAQ/YkM5F7+jQ29AWCmo1AjGZXbbEPIcahcTdvhQDRXHKEif+s1x7F3cxb
VEGWx4NXlbprH0Zppx6a1dfbc3LNx8hkPc1w4IfzqQXMEmxwUzH8112uyRl4Wa8Y
j/NV6sddn5dNp+exMuZWiA1uNtBTPZlasmGBrTu7ovnQCWnUY0hDkrHzdbUt8LXz
FFGP3ln6PmGE2ekBS2s5Q8I/x6eligtiDQ4HHtCJyEmdYsaCRzrsmNWfJ5yeUMQQ
czr4F57K9DcByFZCXKqegPG3AcXxtuYKqG2KZjf6hsLVT5l0xOKCuGeedMKaLuaL
prCRuC5RbVk16xUZ4uNiZDLHXAgyDdbuNPF1s5WxHCtO59pTtjWIvw6FGMDGYwrc
pd7wWpHPVxf3KuB6vMwjyxtOEiKrkb/qOSbX9/ptueIg++AvBzPgVOjQWKkckez7
irFa/i3iGVmqdLLEG0Ey/nperulRR6boazmWPFW3kQTF/8ror3iEHZhRMUystQga
ag4p0VuUwlTC5XNN34YsP4Ie7InSjBrD2Nc7GGTSbuho4yMQPLE=
=5Sjn
-----END PGP SIGNATURE-----
Marked as found in versions 2:2.2.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 May 2021 17:06:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 5 08:08:17 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon