Debian Bug report logs -
#986447
python-django: CVE-2021-28658
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 6 Apr 2021 08:42:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions 2:2.2.19-1, 1.7.11-1+deb8u11
Fixed in versions python-django/2:3.2-1, python-django/2:2.2.20-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#986447; Package python-django.
(Tue, 06 Apr 2021 08:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Tue, 06 Apr 2021 08:42:22 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1.7.11-1+deb8u11
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2021-28658[0][1]:
MultiPartParser allowed directory-traversal via uploaded files with
suitably crafted file names.
Built-in upload handlers were not affected by this vulnerability.
This affects all versions in Debian, including 1.7.11-1+deb8u11 in
jessie ELTS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-28658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
[1] https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as found in versions 2:2.2.19-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Apr 2021 08:51:02 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Apr 2021 08:51:04 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 06 Apr 2021 10:51:04 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 06 Apr 2021 10:51:04 GMT) (full text, mbox, link).
Message #14 received at 986447-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 986447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Apr 2021 11:38:48 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 986447
Changes:
python-django (2:3.2-1) experimental; urgency=medium
.
* New upstream major release:
.
- Full release notes: <https://docs.djangoproject.com/en/3.2/releases/3.2/>
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
Checksums-Sha1:
3226dac62dc09fdfb17ff35ff2f737f12d3464ef 2765 python-django_3.2-1.dsc
00abafe8e50230aa41892b28456c35ae18c16b8b 9819119 python-django_3.2.orig.tar.gz
9d5bb398767edd9622b483e7e4efeb03334a0b21 26444 python-django_3.2-1.debian.tar.xz
30af278f69307584dd05b045c80b772302d8c26d 7542 python-django_3.2-1_amd64.buildinfo
Checksums-Sha256:
18b2a604dc7eeddd83fadfc743bcda7c1114e1e323879e1bf57d39fc095d6722 2765 python-django_3.2-1.dsc
21f0f9643722675976004eb683c55d33c05486f94506672df3d6a141546f389d 9819119 python-django_3.2.orig.tar.gz
6b1c2fb6079a05a6a1f3453e4708fd82ca96bba9651ad786d1b3235e9a1ef20e 26444 python-django_3.2-1.debian.tar.xz
3185c782e891274a8ef3470637222c5a328107c0b23b79c314de2d011f4bece6 7542 python-django_3.2-1_amd64.buildinfo
Files:
40a2aa2e8d12cf00e363f07db342d64a 2765 python optional python-django_3.2-1.dsc
0db580470a6a1dc20ccb805f94479ffa 9819119 python optional python-django_3.2.orig.tar.gz
25a9427609467fd1cced3e10f260e1f2 26444 python optional python-django_3.2-1.debian.tar.xz
85483eceb99eb4ed3d79ec49b8d2439d 7542 python optional python-django_3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBsOxoACgkQHpU+J9Qx
HlgqLA//apKKEf1jmiOgywq5b/+Yy4Ea5SMpMruSP1rOwxvYVbbhWHAd5RYRfHMu
51fu2+4Zf9W9sXjEti2FuXqDjbpkXQkyz+NfDUkzcLGicXlTOirUytj/PcXZTzxS
/QPJgM8wjBG5a+YsioIgemkIkukzVKeAfo97W5faDCn/c8B9VfualYc2MAow2lmY
nbzzqz/O1UyFcqVLyjStf76QNFk4lJ8HP1cSiNwkyG8XdFRO0NT421pvkFyqod4R
EkV56l+7dss+LzoXVa1MU/gfVf/fd/xnbKRa3x2eaQj5Xj66JD7yiXcAQ7QXjow0
gMs9SSRAO//+9Cukf6ApqKUe92Pmv2wvVLyQniLIK6fGIOvgvJIl/DL74BDdbM0s
6Y4vadpfHn2quXFwApMgFJwWpOH+FXMI7VTHjOgrlQnUXAdgRiCOw5D60psUf16d
wq+bWXUcXgfXtKsO7uTefDj+toS03C75nIsIvVyrRqon8FFGnOYhWS6wsi3RQT8W
sDYuncuCUtXTAA+fe248oQQ/4xJ/ArBhjP3tb5Mg/RyzaXyYOSchTUBxX2A/azC4
0GCqSXk+XOnSVPpBcmOzLotIwi0ALt+Li8ATJyWeYy3wOqrL6uywwcqTx8czGfA5
9pzNXUIY0FGTmSJ98W7cH3IVtN3uSwENvk2+Yhtza/6uNwAvs8M=
=BlTR
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 06 Apr 2021 11:09:05 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 06 Apr 2021 11:09:05 GMT) (full text, mbox, link).
Message #19 received at 986447-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.20-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 986447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Apr 2021 11:44:51 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 986447
Changes:
python-django (2:2.2.20-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2021-28658: The MultiPartParser class allowed directory-traversal
via uploaded files via maliciously crafted filenames. (Closes: #986447)
Checksums-Sha1:
0469befab0a844899c20387cfcdd3cc6bc64d6dc 2779 python-django_2.2.20-1.dsc
fcff4fda6d8db0d95ccc4d738f0c307930ed4770 9182853 python-django_2.2.20.orig.tar.gz
9743574f2cc908a3e11b4efb9001a3a5c3132832 26764 python-django_2.2.20-1.debian.tar.xz
93c2243bdf1a16b224fd6dce13c5f9e795df1841 7734 python-django_2.2.20-1_amd64.buildinfo
Checksums-Sha256:
f9b90330334cd284591347581fbeb84c27ba2a2058d62618d649937b4cffdf44 2779 python-django_2.2.20-1.dsc
2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64 9182853 python-django_2.2.20.orig.tar.gz
2e9fa9c26055a26c14068da560ddf1bf6d6dbd594caac9d596139a5914d42eeb 26764 python-django_2.2.20-1.debian.tar.xz
4c7ad54c65acf259d8d18f5f52bb298a2a3ba4008b0b34665648b1833e1b24b0 7734 python-django_2.2.20-1_amd64.buildinfo
Files:
157521cdbabd57d8879edc0abf913da5 2779 python optional python-django_2.2.20-1.dsc
947060d96ccc0a05e8049d839e541b25 9182853 python optional python-django_2.2.20.orig.tar.gz
10f271eea8296b83bc4df25ac4e96019 26764 python optional python-django_2.2.20-1.debian.tar.xz
5010e0cf73c841aa85ff14d6809a6e91 7734 python optional python-django_2.2.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmBsPJ0ACgkQHpU+J9Qx
HlhtjA/+Kw9h+j4+0O16EnyyAPf1mPQBjFibdT6hcvYcNno9HeVSUOL56gZm+Jwu
q4Xnq5T4TE1LmS16nRg0QP2y5GDgDj7ZI1CimCNiqupL97+WTd0OAuah7RwuHE2L
rbjQS+Op7Af46emGxV7MHyChk9HOl1zI+JXkDxe8BsoyswUgaIn1Q3/V/++AvwAb
7D2oZxdDssT4aFCsIGzEU24mH+H9KqF/qkl5eikcUhY+1QuUjI0kbq8FP+eej0bK
NfFGRx3hDYnLYPrH3huaNW/wZve+uwm4xFPRA73EwSnrMS7zr4D3hckJRBy8/AN8
lTBBMHYnEGfP7qn8jjWZ5ASLGW6Un6T/tMCgEvMgvZkF3GeECZ+bCvMATf2TnS5A
Tvq0/0+Zb5GhzfsZNch4+xBl/VR3YdP59TDBUUQHioP3TKZH6Md5bbxn1FS9RM0r
V5byZCtx5SrIk5Zp8k9mSBH5IXiQIEkOmLQ/kC02wxO0eUy3Kg44ATz7FOCQpatZ
xLuYQyrhDj+Ca6AW8gaqhRYADpbHQAapGd4cl8+7nB66a+RCKlA6lPUWo7wQZpem
Ue8hzTt6nd45rIko/Gw6y4Sp3e0ncrmgbkFvK+AVPwObFpqW7xBIft4A4hRZNAON
ge+Z8RRi/MzCbC8aNmDab3cTcpB4DqcsYo0H8XhKUx588xuJdvo=
=DRhP
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Apr 7 08:06:20 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon