Debian Bug report logs -
#983090
python-django: CVE-2021-23336
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Fri, 19 Feb 2021 09:21:02 UTC
Severity: grave
Tags: security
Found in versions 1:1.10.7-2+deb9u10, 2:2.2.18-1
Fixed in versions python-django/2:3.2~alpha1-2, python-django/2:2.2.19-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#983090; Package python-django.
(Fri, 19 Feb 2021 09:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Fri, 19 Feb 2021 09:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.10.7-2+deb9u10
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2021-23336[0]:
| The package python/cpython from 0 and before 3.6.13, from 3.7.0 and
| before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before
| 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl
| and urllib.parse.parse_qs by using a vector called parameter cloaking.
| When the attacker can separate query parameters using a semicolon (;),
| they can cause a difference in the interpretation of the request
| between the proxy (running with default configuration) and the server.
| This can result in malicious requests being cached as completely safe
| ones, as the proxy would usually not see the semicolon as a separator,
| and therefore would not include it in a cache key of an unkeyed
| parameter.
Django is vulnerable because it embeds parse_qsl:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#983090; Package python-django.
(Fri, 19 Feb 2021 09:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Team <team+python@tracker.debian.org>.
(Fri, 19 Feb 2021 09:27:04 GMT) (full text, mbox, link).
Message #10 received at 983090@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> The following vulnerability was published for python-django.
[…]
>
> Django is vulnerable because it embeds parse_qsl:
>
> https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
Security team, let me know if you would like an update for stable.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 19 Feb 2021 09:36:02 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Feb 2021 09:36:02 GMT) (full text, mbox, link).
Message #15 received at 983090-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.19-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 983090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 19 Feb 2021 09:22:37 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.19-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 983090
Changes:
python-django (2:2.2.19-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
.
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
.
* Refresh patches.
Checksums-Sha1:
728018e909533316b33ed8e6278c792f5d87812b 2779 python-django_2.2.19-1.dsc
7aef80dd858d268cc7dc15e8f3b5a43a5252edda 9209434 python-django_2.2.19.orig.tar.gz
45405f991e272a0c695cfcd6b7f30614b36e33b5 26688 python-django_2.2.19-1.debian.tar.xz
ddc31f0b82cd9ef7a33f72328c3bf2d174cb503c 7733 python-django_2.2.19-1_amd64.buildinfo
Checksums-Sha256:
4649c16beea3783fa53f4b4f1eb0620f73b7276fc79899ea970ddcfe7fb362cb 2779 python-django_2.2.19-1.dsc
30c235dec87e05667597e339f194c9fed6c855bda637266ceee891bf9093da43 9209434 python-django_2.2.19.orig.tar.gz
bab52b16468262f9d2d5df8d76a5509a65f5e11f1ca72485a7bd231a024f72bc 26688 python-django_2.2.19-1.debian.tar.xz
503bedca8df9aa93173ce72b2a3d130cc05a7eb6ee5c391b54b00703da6df847 7733 python-django_2.2.19-1_amd64.buildinfo
Files:
d1c10b445609e45c6cdd6396c8405e98 2779 python optional python-django_2.2.19-1.dsc
adecf675c2af9dab8ed65246963718d4 9209434 python optional python-django_2.2.19.orig.tar.gz
b91fc9d32c8ef57e92e3022a95297491 26688 python optional python-django_2.2.19-1.debian.tar.xz
eb900b8b044826d643a4f0790c1f659f 7733 python optional python-django_2.2.19-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAvhCwACgkQHpU+J9Qx
HliaehAAsrge8xjJucziOUNJFeEsOnB5VS0sZfOho9BpbefWJvMsacnmiG7k63GJ
IuiCpq/CKb0+/5Gjv3JUcRSfrEYoU6SF1VgLs977Odlo7mFqzrXur1v/8IqyiY4X
9DtUF542MKhGgaJdthrqcPi/Ia7l/nbKKEqCQgzbXLju0hBnkusei6c/X1rkJTWV
uMru/hy84+TFipadHTow/A2WciUE70QIS9j1Ph6WaGDu1azNzNVqvPytr1kGOQs8
YEzi/zLU8ooIOW+jNhnYbuO1I55QJ8efL5VSlcDX9kW33QaMdPgZt+ozLsGWJpR7
xZxDMvl0QmmNi1Vwyt035ToCsaXO4UXkYjo4JkMXy0p6HVxrv0Ui5frWmPKI1zNG
wM5llDPqM554gi4/IcsGUbDohXKNDtV9EUMQXssaNTVGOFPZMpodWJ4vVnJ9CSc+
1wyUsfUt+S8wF3DGzM7FaQLEgwFLf9cCGKNTxzxBkBoRcIyC/andxkcxy2fOaVMB
NYc62ghMPHHt+NBWQDABoN/fF02I0O3Kcx6kNjbTXo0fGAy5iGKBwgDCbrgbLIvT
+hDnJdjq4XGxIyrQqXzqjuUsJHljN6cn5kxksMnf7IBJhr9owAHvDLI2k13jPKOi
Am/ubTWSQEW0g4oshQtT1ZpzN/XRspPsuBgxvsA56wqmj+gFiLY=
=7+Rl
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 19 Feb 2021 10:06:05 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Feb 2021 10:06:05 GMT) (full text, mbox, link).
Message #20 received at 983090-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:3.2~alpha1-2
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 983090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 19 Feb 2021 09:28:42 +0000
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2~alpha1-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 983090
Changes:
python-django (2:3.2~alpha1-2) experimental; urgency=medium
.
* Apply security fix from upstream:
.
- CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a
query parameter separator by default. (Closes: #983090)
.
<https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
Checksums-Sha1:
e807b721ebc192de3c9c7ae4d5289533092862fe 2814 python-django_3.2~alpha1-2.dsc
51b92238279b46b5948556f4280ba10a77f54b5b 28360 python-django_3.2~alpha1-2.debian.tar.xz
2f029f6f8244faabb48d1b1b03b69f49d9f9e38b 7611 python-django_3.2~alpha1-2_amd64.buildinfo
Checksums-Sha256:
c32f5b7a3d861aca6e935ecc02a2db0497e8fd0fa9b12c1c8d43e853edb80aec 2814 python-django_3.2~alpha1-2.dsc
7158eefe5367bf170904493f91acdd37866dbd3745e12486c49241d0ece45899 28360 python-django_3.2~alpha1-2.debian.tar.xz
cf8d300bc0eab25980df8fd99ec03ffaab24dc9faf68d4823a281febedc06d2e 7611 python-django_3.2~alpha1-2_amd64.buildinfo
Files:
2b2b65ad997b72f571725b7211e14064 2814 python optional python-django_3.2~alpha1-2.dsc
5ca2bea87748e0cb88ba791cceff7153 28360 python optional python-django_3.2~alpha1-2.debian.tar.xz
8228ddf87d0fa659fba78634782e6292 7611 python optional python-django_3.2~alpha1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmAviJoACgkQHpU+J9Qx
HlgUOw/9EMUZJygxSWfozLJpz2XVecrB9iE15D2ICLz0/28qPtYPl2NcAtdlBCwZ
CdWTdd7cV9LTTi1HvPIhaV0RsCGqrlmVJpNvDdXiqHLpXqC+TD5GwEhM488iCcPa
cOC6PntgNbteAZMuW985Z0riQ+C5K8C5y6A7yjCqLd+pr+YL+NWJN9OD4sxLGPUn
aUhwEsYyPftIrSog7prlOTYYgz1ae+curPjt6kMVPvDnpf/E2g9+G/Cb0sJt5/yO
yV723SF5OCFYGTUN6tqvkbfl0WMNqrx1i0w+6hSgXjdnoP8zz6D1gcBQDvuDsoH9
Y1PGeBH9RmWJ3URB/S2mf69at+wGCkE8BaqbTac7ZM6Az6qS6Pj+8du84NXkNNn2
cOJeDFmXP/CaxH/rxJ9UluGWmrX8lWIpJt0tP+IbKfUJ8ERnJnjM48dI1aZU5Wnj
IxdhsWNwJDN5YLiYPlq2nvOSMSj/CiRX0FWmgPd0iZQ2pdSusnJ19GRW56VVevCV
PD3p6BLPuqa5Ueqki4ZbFW8Fq+o3uLGPLnHyvfn27UvJ6emOusvYVG9gwr3RP+fx
bMB4aJ07MDpxnCJVOBih0LVv78rYojQ8Lz8pIluPA0rT59hDh6aRoVFhjTgQ9vLO
YisiURN8ABkN9B7PxENBTxoo+e83f4NPcZEqE67S/X3Qh43bBeU=
=Nqm4
-----END PGP SIGNATURE-----
Marked as found in versions 2:2.2.18-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 19 Feb 2021 12:39:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 20 08:03:01 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon