Debian Bug report logs -
#1003113
python-django: CVE-2021-45115, CVE-2021-45116 & CVE-2021-45452
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 4 Jan 2022 12:12:13 UTC
Severity: grave
Tags: security
Found in version 1:1.10.7-2+deb9u14
Fixed in versions python-django/2:4.0.1-1, python-django/2:3.2.11-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1003113; Package python-django.
(Tue, 04 Jan 2022 12:12:15 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Tue, 04 Jan 2022 12:12:15 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u14
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django:
* CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator [0]
UserAttributeSimilarityValidator incurred significant overhead
evaluating submitted password that were artificially large in
relative to the comparison values. On the assumption that access
to user registration was unrestricted this provided a potential
vector for a denial-of-service attack.
In order to mitigate this issue, relatively long values are now
ignored by UserAttributeSimilarityValidator.
* CVE-2021-45116: Potential information disclosure in dictsort
template filter [1]
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
* CVE-2021-45452: Potential directory-traversal via Storage.save() [2]
Storage.save() allowed directory-traversal if directly passed
suitably crafted file names.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-45115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45115
[1] https://security-tracker.debian.org/tracker/CVE-2021-45116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45116
[2] https://security-tracker.debian.org/tracker/CVE-2021-45452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45452
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 Jan 2022 12:39:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Jan 2022 12:39:04 GMT) (full text, mbox, link).
Message #10 received at 1003113-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:4.0.1-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003113@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Jan 2022 12:03:13 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:4.0.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1003113
Changes:
python-django (2:4.0.1-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
Checksums-Sha1:
334bd0b96016d136e5bc06320821020a4f815256 2779 python-django_4.0.1-1.dsc
ab735671359bdcbf65caaf3bdb961496567ce28f 9995484 python-django_4.0.1.orig.tar.gz
5767ddee131607a56ea08a89fa869c43d6effc12 27684 python-django_4.0.1-1.debian.tar.xz
93e3e17c02a32b94ba62a76ee50a9d5db0cdede0 7805 python-django_4.0.1-1_amd64.buildinfo
Checksums-Sha256:
1358b6fd15630370c9ae35cee1bf79d68139f1256e5b85f18231cd42a51219d4 2779 python-django_4.0.1-1.dsc
2485eea3cc4c3bae13080dee866ebf90ba9f98d1afe8fda89bfb0eb2e218ef86 9995484 python-django_4.0.1.orig.tar.gz
26b583bff2255b3f21d91ab6cff92f95e14a3d148e62ca2243e8590236d45e26 27684 python-django_4.0.1-1.debian.tar.xz
b883033dcda5cf69aa967e4bfa5cddb8ff00a3761cc6e50bfd3d826ecadd5a7b 7805 python-django_4.0.1-1_amd64.buildinfo
Files:
a710a9b6dae09b45f4ff9a5f961cc459 2779 python optional python-django_4.0.1-1.dsc
6d0fba754d678f69b573dd9fbf5e6fa6 9995484 python optional python-django_4.0.1.orig.tar.gz
93b3143810f1b5e994e863736f258220 27684 python optional python-django_4.0.1-1.debian.tar.xz
1c9551d076b824ca0963a03e8dadd6f7 7805 python optional python-django_4.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUPf8ACgkQHpU+J9Qx
HlhcLBAAnVMrwDWYLjx46NYwI54kRJ+CxHKYH8ZMw0mxog/S0VI16T3mSS11az/M
qKf2B4K0AxRklhiaQIGT/qz+jSe+fB90uWtZ1Kcw/iekOcA/SwVHdIsYoe3qNXrc
GMJlbO5y4/zcO7kuHAUQyypI//MSXhPQZ10nxcac4x5xzJ/k5NxZVms2mS+D9moW
nXyOIjkWeKc4CrxjFFkEqv0A5HduWhAOCSErEF6Wx2CRYfbUfOyle1euAFHsZowh
XMXE23rwbasLFKeBATeTsOChMVV9yKOkSLQX7+4q/blTWucDLwjoObcnjNhngAi5
RRiIP9oadjgO2fggdgz/s0TI5yFQRMpCmuxCSqOZg6vrRvZrAOofgr0yRU3hqd0x
ux/JQMRMU7dnoY8V79nvEnTknq5aYAwUhPcy2v8vcJQ3v7eJoZscVwC40O2bqcFg
yq7DzlCAHfNcugEGXqA4ZJ6F6qU7nR/PNQCddMkQWy90vSORp1p12rzFTms8QcrS
bA7d2W/Eygs0PucT/wNthQmhYjmPknOv5e66RUyV5CMjAZubDR+VHdFncEtGWhtz
0CANPxjPV7UqST8mLLVrniHXRUtzKnDoJhJuhkHpLFlD5L1/aUWVHLXdXR1yI6of
3WgJOKt9b68ihsuwWIsQ33TUmPq+l8S6G7Q3JuVL5a2xIp3qw3o=
=owU4
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 04 Jan 2022 14:51:11 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Jan 2022 14:51:11 GMT) (full text, mbox, link).
Message #15 received at 1003113-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2.11-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003113@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Jan 2022 12:35:16 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.11-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1003113
Changes:
python-django (2:3.2.11-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator
.
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack.
.
In order to mitigate this issue, relatively long values are now ignored
by UserAttributeSimilarityValidator.
.
- CVE-2021-45116: Potential information disclosure in dictsort template
filter
.
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a
suitably crafted key.
.
In order to avoid this possibility, dictsort now works with a
restricted resolution logic, that will not call methods, nor allow
indexing on dictionaries.
.
- CVE-2021-45452: Potential directory-traversal via Storage.save()
.
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.
.
See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/>
for more information. (Closes: #1003113)
Checksums-Sha1:
65976c9ce24d08d5a1e9e7d358281a430c512b56 2807 python-django_3.2.11-1.dsc
2a6c6ad3a7979f26e1ebf9489ec68eaa2bdef6cd 9821958 python-django_3.2.11.orig.tar.gz
39a6e2055bbed12bc9860f0114336e136340f4cf 34244 python-django_3.2.11-1.debian.tar.xz
a93220b0fd4e61f093b0b46b865d19db3a5cce25 7979 python-django_3.2.11-1_amd64.buildinfo
Checksums-Sha256:
4fc271234dfa156b49b4f7cac8f47388c3dd35c7ccb152c1a5453e7490cf530b 2807 python-django_3.2.11-1.dsc
69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75 9821958 python-django_3.2.11.orig.tar.gz
0a54468ae6869cfbe15f4770818fcf1c0f59dce3299390707346a9148537a6f2 34244 python-django_3.2.11-1.debian.tar.xz
c97509346848cdc8f4e148a7c7e4c34c4bef560940baa7b2c1347a61683e9846 7979 python-django_3.2.11-1_amd64.buildinfo
Files:
d21c95b006db9c0772c57d5c77a09c48 2807 python optional python-django_3.2.11-1.dsc
6c4a53d2ccb464bc3dd772c6f2f07df9 9821958 python optional python-django_3.2.11.orig.tar.gz
9c3515e7da562938b2fe2db3b6081f7f 34244 python optional python-django_3.2.11-1.debian.tar.xz
5b10b781ffb89bfa98734d6d1ac46b32 7979 python optional python-django_3.2.11-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUXHwACgkQHpU+J9Qx
Hlg5qxAAiyxmddPPLEPv1aO/nUxRVA/7tEzC0SI1wLDTRPYiGUS21ktLNGXmPJgX
B6ehFrsnvq3TFiwRRhgv4e8DeYaZlIS+vID0H8cJKLjlwp7jhnXpAwIhw3QrpX5n
yhzK77LIbnCe6hZE4j5B3NEl4EcjdAKyHrb/cLSba9RQwKPPKdxG19gbG2cJ8i4p
LZ6z5NpmyVHXReMsjSHJCidVbEI1jntiJcqwTPgW/tVcENXTh4zgVvijqHkv7wnj
nNGIdI1uK/nPa3u6duBRS0hdLZmNAcWB5NTyDY+Y3Ew/MsRQCtA1cobThew7b1Dx
6V4aGWru5iJea66vrMGFYAayA/RlbyeN/OfGaTdb2LA8Uu/vbzhdisHWXefe/i7R
XIz6n1XahUzt/6809uUgjoxviGJLHG/EjsXi21Pf04p+cLADLH1BmwUF/L5HEOSp
e64aq159FGFIv5oElkvS1I8HKsjYMQ30+WX+k1tycvTu/uXM0fI9KszEvOI1Mzhs
cFDUXKxFszroRlk5he7Oi3W1eEPVWaba4DCgV4RkfvOf9zmCOmz6xqVUFAiRHYFq
47hqiV9A41nedEpMpgFoL7E65nHniAn6/d5azfZeRhDnf88JY3NeN9ZPnn12lJAb
jf+TqTwwFnTAgjdwndqeF3+GuxMBhymPYXCW3poGOJGgod2FPSc=
=xGpu
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 4 16:10:10 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon