Debian Bug report logs -
#1035467
python-django: CVE-2023-31047
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Wed, 3 May 2023 16:12:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions 3:3.2.18-1, 1:1.11.29-1+deb10u7
Fixed in versions python-django/3:3.2.19-1, python-django/3:4.2.1-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1035467; Package python-django.
(Wed, 03 May 2023 16:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Wed, 03 May 2023 16:12:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.11.29-1+deb10u7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django:
CVE-2023-31047: Potential bypass of validation when uploading
multiple files using one form field
Uploading multiple files using one form field has never been
supported by forms.FileField or forms.ImageField as only the last
uploaded file was validated. Unfortunately, Uploading multiple files
topic suggested otherwise.
In order to avoid the vulnerability, ClearableFileInput and
FileInput` form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set allow_multiple_selected to True.
For more details on using the new attribute and handling of multiple
files through a single field, see Uploading multiple files.
— <https://www.djangoproject.com/weblog/2023/may/03/security-releases/>
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as found in versions 3:3.2.18-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 03 May 2023 16:18:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 03 May 2023 16:18:03 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 03 May 2023 17:12:06 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Wed, 03 May 2023 17:12:06 GMT) (full text, mbox, link).
Message #14 received at 1035467-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 3:3.2.19-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 May 2023 09:32:59 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.19-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1035467
Changes:
python-django (3:3.2.19-1) unstable; urgency=medium
.
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
.
For more details on using the new attribute and handling of multiple files
through a single field, see:
.
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
.
(Closes: #1035467)
.
* Bump Standards-Version to 4.6.2.
Checksums-Sha1:
77feaf7b11ab9338b75663c4808bc75ed253a9f6 2807 python-django_3.2.19-1.dsc
42f62327acc78f37f69cba058232fbfd7d8c77cd 9832772 python-django_3.2.19.orig.tar.gz
f6f403f34e4d23073ba91838fcc96dd148564566 38032 python-django_3.2.19-1.debian.tar.xz
8cf1f34c917df81e05d357f08318bad8fe7c9595 7954 python-django_3.2.19-1_amd64.buildinfo
Checksums-Sha256:
3b00f2009508a960f1eccae8762667b6c4b4097673bb9d50c8f007bb4e36d8a5 2807 python-django_3.2.19-1.dsc
031365bae96814da19c10706218c44dff3b654cc4de20a98bd2d29b9bde469f0 9832772 python-django_3.2.19.orig.tar.gz
924c91276b40c03aa3dacd397966849000599121d8e4d8398b6078eab1153698 38032 python-django_3.2.19-1.debian.tar.xz
a8b01eb05d5feaaddd87b62baa7b4106cbf21db02a915cc316f689b3ac8f5266 7954 python-django_3.2.19-1_amd64.buildinfo
Files:
4b3bdcee47d7b3eec43f2a9908a6c13b 2807 python optional python-django_3.2.19-1.dsc
d84f0b8669678fea14579d7400a521e2 9832772 python optional python-django_3.2.19.orig.tar.gz
067806366ba9dc958fcc7e98659b95a5 38032 python optional python-django_3.2.19-1.debian.tar.xz
32d650485b0743773b1484c525b41d5d 7954 python optional python-django_3.2.19-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmRSjvUACgkQHpU+J9Qx
HlgHaA/+NaPOoLi/zC/SDsp81SOzwjHYRAUQHl+nLbKC6Xcy7B0YgI22ECMunTyk
9BZh4JlOCSTzIUO3pM/zWyIMSwRs7QqkmCfMbbJFgdM8TT8BKywBv6XT1iUXwEIM
DQ0yZwjVwXXFK+jrq/l1Ngypj+2n4/Nhwaxe6U4IguZiVHOgXx0YY/0np9AC5mYw
fdvsAAGKG6xQQIOpE95KS6NzofDj+49aue5oJ3AO4bMf+aIRdeUVN5vjaqF4NBEU
fS2/mmFqzVOExSOMfXzoq8ij2XvX9/XPPxqkp3gHDhTadp1rrlOFI8/qYxJaGV6l
jeK+Fndt7Ne3xjMS+23g79OOAfJNfckYTS7RcNw1JrtdhS761xzycR9sCYzfU+lD
mRvlocPx3QtSws8vlA8t2jGS+CPfWzBUuJW29awqUoP/HwdCEa3mC7khmOKFUboY
VQhjypKQRRb2NVpQ+4Jzw3SDNc0UTb68fgN1nRKmAyCWCF90EcamS0il40DUNX2x
mhJwS+dRABTzcR5SaTu9Eb9bCAFC7lCk4aSI9CNQUuxpa2YmLRLiKSl/F6vKSGEK
XUmMt82vhyRHpRIzuOlAg3DThTxVRszGwtjwdpk8XECPFpYJnYHq5thris9E1Y9F
Np1rbgNfVE9LA36fsUScozCAB95sVprFn0xs1aTIpxpVvkm5TVU=
=2JQv
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Wed, 03 May 2023 17:12:08 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Wed, 03 May 2023 17:12:08 GMT) (full text, mbox, link).
Message #19 received at 1035467-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 3:4.2.1-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 May 2023 09:13:17 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.1-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1035467
Changes:
python-django (3:4.2.1-1) experimental; urgency=high
.
* New upstream security release.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
.
For more details on using the new attribute and handling of multiple files
through a single field, see:
.
<https://docs.djangoproject.com/en/stable/topics/http/file-uploads/#uploading-multiple-files>
.
(Closes: #1035467)
.
* Refresh patches.
Checksums-Sha1:
b1dfd7e655318e4ec40671eb875cbdd3a0dfc955 2782 python-django_4.2.1-1.dsc
8f7818eea7f091ff0deec68ade8b45cb47b0c6a2 10420051 python-django_4.2.1.orig.tar.gz
127ffdff3944fc2e2affb51af400656a77d68d1b 28632 python-django_4.2.1-1.debian.tar.xz
1572d024b933bea439f77a473c0ddfa6902755be 7782 python-django_4.2.1-1_amd64.buildinfo
Checksums-Sha256:
39206f42bc826adefc66e7bf0962fa788aee77b3d32101ded2a73495af38e92c 2782 python-django_4.2.1-1.dsc
7efa6b1f781a6119a10ac94b4794ded90db8accbe7802281cd26f8664ffed59c 10420051 python-django_4.2.1.orig.tar.gz
e3721d135b60f20c3e3132ad592eba7b8819bfda599ce5eb86484ad7aa0a845f 28632 python-django_4.2.1-1.debian.tar.xz
a81c91f703b23ffd05cb98e1c077dfd5b371578cd68073fcd91c954e9f50785f 7782 python-django_4.2.1-1_amd64.buildinfo
Files:
ebfbaf5d60d73ee29fb4b09f4b3b37b9 2782 python optional python-django_4.2.1-1.dsc
8a047b5d96d7a2b7a173f56ca9869e8a 10420051 python optional python-django_4.2.1.orig.tar.gz
ac54ded14904ad42a8a9f4d9991be0f1 28632 python optional python-django_4.2.1-1.debian.tar.xz
79874c1775b3b247d26ac66cae923fd1 7782 python optional python-django_4.2.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmRSjAkACgkQHpU+J9Qx
Hljg3g//VThwL1vFau6SocBr+a2pzREMtNa+0kJf7wSKQUKC1tDigFzyekn0L+XM
IVne8DZCyvveGki52w46UDWBRMvwF1hQaX3oNC8VY5vJK2mf4wVus3j6EMsjOKgg
rMb620v6TVeckbQlE6MhWyRjVQMxNaZz34upNMxWicbA0yOAmFvJwP01xg4UxWTv
fy2M8QrSs372xUltvatkpnxNxDYCC4VbgXFnnR+cLdZhPxmq9r4lAiAM1IiwynNq
bVI0f3sWz38AdKKCpVd1X+DlA1k+tB1TfLd766+m/W6CJAKHESWMdLuiK+mIdxsa
NGnqAIByTBfM8+8sAlKoPDTe7IOScF2bwv6eQEzPz+5N/MzqwGaD1opkaISFiJBq
VJPF9EHgWgPCFn3FLvkpK+DnpZoc8em0LUS5/gjK9Z9jFtVtLK773HXjhL+tFWv6
QXgJLT7RmciWVoPcZi2dK7WlXff9JF4zKws5RYl8g74D/bFLB165pxl4o0GEi7gA
b+knr5Yb+SUMHRTvMiqLNgcNIHdaQ7hwDmYsJhpomjkslqakLgBasYavMlI6PG8J
nZowoWC88R5nh5cjBsGI6B4j52wx0yVzgurfqGLMi6t+PZT0SjmdWf8AESTCyLbs
F+uUJ9zYqlV+Hfm7V4x3Ey9nox5m8u3GsVcXk9ROOQ9C976eV8g=
=r3Kv
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 4 13:12:52 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon