python-django: CVE-2021-33203 & CVE-2021-33571

Debian Bug report logs - #989394
python-django: CVE-2021-33203 & CVE-2021-33571

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: submit@bugs.debian.org

Subject: python-django: CVE-2021-33203 & CVE-2021-33571

Date: Wed, 02 Jun 2021 15:59:12 +0100

Package: python-django
Version: 1:1.11.29-1~deb10u1
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

  * CVE-2021-33203: Potential directory traversal via admindocs

    Staff members could use the admindocs TemplateDetailView view to
    check the existence of arbitrary files. Additionally, if (and only
    if) the default admindocs templates have been customized by the
    developers to also expose the file contents, then not only the
    existence but also the file contents would have been exposed.

    As a mitigation, path sanitation is now applied and only files
    within the template root directories can be loaded.

    This issue has low severity, according to the Django security
    policy.

    Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
    the CodeQL Python team for the report.

  * CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
    since validators accepted leading zeros in IPv4 addresses

    URLValidator, validate_ipv4_address(), and
    validate_ipv46_address() didn't prohibit leading zeros in octal
    literals. If you used such values you could suffer from
    indeterminate SSRF, RFI, and LFI attacks.

    validate_ipv4_address() and validate_ipv46_address() validators
    were not affected on Python 3.9.5+.

    This issue has medium severity, according to the Django security
    policy.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

  https://www.djangoproject.com/weblog/2021/jun/02/security-releases/


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #16 received at 989394-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 989394-close@bugs.debian.org

Subject: Bug#989394: fixed in python-django 2:3.2.4-1

Date: Wed, 02 Jun 2021 15:19:05 +0000

Source: python-django
Source-Version: 2:3.2.4-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 02 Jun 2021 16:08:13 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 989394
Changes:
 python-django (2:3.2.4-1) experimental; urgency=medium
 .
   * New upstream security release. (Closes: #989394)
 .
     - CVE-2021-33203: Potential directory traversal via admindocs
 .
       Staff members could use the admindocs TemplateDetailView view to
       check the existence of arbitrary files. Additionally, if (and only
       if) the default admindocs templates have been customized by the
       developers to also expose the file contents, then not only the
       existence but also the file contents would have been exposed.
 .
       As a mitigation, path sanitation is now applied and only files
       within the template root directories can be loaded.
 .
       This issue has low severity, according to the Django security
       policy.
 .
       Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
       the CodeQL Python team for the report.
 .
     - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
       since validators accepted leading zeros in IPv4 addresses
 .
       URLValidator, validate_ipv4_address(), and
       validate_ipv46_address() didn't prohibit leading zeros in octal
       literals. If you used such values you could suffer from
       indeterminate SSRF, RFI, and LFI attacks.
 .
       validate_ipv4_address() and validate_ipv46_address() validators
       were not affected on Python 3.9.5+.
 .
       This issue has medium severity, according to the Django security
       policy.
 .
   * Bump Standards-Version to 4.5.1.
Checksums-Sha1:
 4ee1eed1a0e6fedf485170c4ebaa6f05d3bc69a6 2779 python-django_3.2.4-1.dsc
 7b0875627bfd044cbfd3c9dc4b87c653a3cbe2dc 9824343 python-django_3.2.4.orig.tar.gz
 f27a1a167c94f01a9091d686acb87261b45cf5b4 27032 python-django_3.2.4-1.debian.tar.xz
 78698ba6396279c6d28add969aa37f805a31b571 7554 python-django_3.2.4-1_amd64.buildinfo
Checksums-Sha256:
 c045b9445260288da3d6f7277c021e7bb48c00a75cb7e99c847523b7a8d637e0 2779 python-django_3.2.4-1.dsc
 66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296 9824343 python-django_3.2.4.orig.tar.gz
 db66b00bd8120de0d96702b9a7890d4705e9fddfc44cedddf3987d6ca45ff7c6 27032 python-django_3.2.4-1.debian.tar.xz
 3df5a500a06c8134046c67998d042083a4c28a2e004e318c3009060b7918ef16 7554 python-django_3.2.4-1_amd64.buildinfo
Files:
 50510e7b32ffd8e048d5da8868000399 2779 python optional python-django_3.2.4-1.dsc
 2f30db9154efb8c9ed891781d29fae2a 9824343 python optional python-django_3.2.4.orig.tar.gz
 96a44ad690e88af965d761690de5f506 27032 python optional python-django_3.2.4-1.debian.tar.xz
 440686c732564cd131064c3a67ef23d6 7554 python optional python-django_3.2.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC3oAgACgkQHpU+J9Qx
Hljl7A/+J4+TQSth0z57OKUhEKOw26Eg/waSzRcB/i/5e06DaGDGSdKz2AubYG0i
PUKei4AuK3xkXVqCTO/QZLrCl3XlI3MNGFsyo8MP0kIm8VvyX1P0yfXfT1ckUNhu
IysWW1GKF3Aj9FxuQf+ZlUwLB3OQL6ciToQL089I3BTxoXPWO3zNiuqHyCgKuuXk
PcdhaucQwe/ujYU6DZidckpxkkFaq9/C3fLyINEU/lXxsJ58N51OjYKxEPiJ4r4m
zXAKNc9ZTCgZGql3PVqF2Xqv/zcedOQsFWHnyPEwico6H825BOS39/kt2zBzo0ds
EoXwj6wstPjD30qC7W3iE0VDa0XyD75ElfXW1t/XVyqq1oQrcLtsGek2H0QZhv4l
q252jgVH0Z0glTGRDhgCvqMURrvf5mzJwRYMv3JKY+Rx1DJWNagFj/SrzxRc44SN
5z5Ui3NhAFwiDvlF64s+4nW7bKPiiVbb9asSXEVDqiXK0q2NjZ3xUhyTddWadCXm
lDp0FVnHk2vTJR/XmPn1KBK4gN0+9xGvH3yOpz3Mkr6YUcJwHb30x9Sgroj6w/uu
ZbmvtsoiALnRWXWNAfVRvZMPKisj9RxC1J6PzcA2YS7qbzHggQD5pry+smjCHSR1
cZ4Ml0HrvtwYb7TqSJn+KcKyGHYOGgZE4QOCr1D0KII4dbAxN80=
=+Oi4
-----END PGP SIGNATURE-----

Message #21 received at 989394-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 989394-close@bugs.debian.org

Subject: Bug#989394: fixed in python-django 2:2.2.24-1

Date: Wed, 02 Jun 2021 15:34:01 +0000

Source: python-django
Source-Version: 2:2.2.24-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 02 Jun 2021 16:15:13 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.24-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 989394
Changes:
 python-django (2:2.2.24-1) unstable; urgency=medium
 .
   * New upstream security release. (Closes: #989394)
 .
     - CVE-2021-33203: Potential directory traversal via admindocs
 .
       Staff members could use the admindocs TemplateDetailView view to
       check the existence of arbitrary files. Additionally, if (and only
       if) the default admindocs templates have been customized by the
       developers to also expose the file contents, then not only the
       existence but also the file contents would have been exposed.
 .
       As a mitigation, path sanitation is now applied and only files
       within the template root directories can be loaded.
 .
       This issue has low severity, according to the Django security
       policy.
 .
       Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
       the CodeQL Python team for the report.
 .
     - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
       since validators accepted leading zeros in IPv4 addresses
 .
       URLValidator, validate_ipv4_address(), and
       validate_ipv46_address() didn't prohibit leading zeros in octal
       literals. If you used such values you could suffer from
       indeterminate SSRF, RFI, and LFI attacks.
 .
       validate_ipv4_address() and validate_ipv46_address() validators
       were not affected on Python 3.9.5+.
 .
       This issue has medium severity, according to the Django security
       policy.
Checksums-Sha1:
 0bd594f14c8c6d1ba35d1463352e12017cd96398 2779 python-django_2.2.24-1.dsc
 5f6dc81c98530d745ffd6ee3712605d0f7312bb4 9211396 python-django_2.2.24.orig.tar.gz
 49dcdd1bee45dd1651a3060fbf143dc04fb2bc32 27304 python-django_2.2.24-1.debian.tar.xz
 92b779cf28ef1451d9700abbbf2a4513ed63647e 7726 python-django_2.2.24-1_amd64.buildinfo
Checksums-Sha256:
 15c857f6e750285c92ab57409885b54b70bcdeaf956581e8f8a67bb1cdc08164 2779 python-django_2.2.24-1.dsc
 3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7 9211396 python-django_2.2.24.orig.tar.gz
 76ebed1d0c51efad5d81809c3a6266d590ac99377d7d78ac1d879c6eeefee6ea 27304 python-django_2.2.24-1.debian.tar.xz
 68b14ff49c1ad8acaeef82c24de39acf7cb12d17ae54fcaaa3196809872dc3a7 7726 python-django_2.2.24-1_amd64.buildinfo
Files:
 34313b2cec684d0db5f4ce844d0388c3 2779 python optional python-django_2.2.24-1.dsc
 ebf3bbb7716a7b11029e860475b9a122 9211396 python optional python-django_2.2.24.orig.tar.gz
 64caea7bfd43e189f766640ee1847740 27304 python optional python-django_2.2.24-1.debian.tar.xz
 06712056e9ec59bb2fa5a48fc3a12130 7726 python optional python-django_2.2.24-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC3oYwACgkQHpU+J9Qx
HlhtPxAAkz71j/k1u+0PoZiet9dhps5P2bazzlDVpUP+8plAOFfhZbb5RjZ4P3hF
v+1qQQEEsKUij0BMeHK26Np0OSbK7auuzoR7oQXmVvP0j2KbR805mx2wQySa9Vv4
9U5goGZE84Ls0HSLXBFYv4ltMFXjpf8rdjeq4ox0vKNCw+3PpVQJw2tyU5AfE9r6
x4yOgYQupzn3bnIx51RHtMzPTb69G0KKhumQkrzpkIHIumO/ggsZ5wwFmT6mBmaI
xFUX1kwdvjm6v+g6zDU7MYFSKJffKSRwiKlNQ1eV/SWH2G1IyoNADUEUvWqOTtx3
AVe/DcWpWRiZBCNLMUJeWzyEDAhfXMim6Jpl0cD5yFDLD0HCIynW1kmBv4CbmVE1
0ApW5CBiFweh/OMo6KoVVWgSZvyWEjg36dxINY9qtyzeJF+bMuk3NjRteiPe+wEp
aY1oLSDqHaouOdZEKfUCg6DWfXJEGFHFee1KspBg9urm6ctKP8ZaqepnAT5AnoKT
H3QaR+Wn4th4cNhYM5vDzkV3Sfv+bpJKNXs/UxVH3VSvAbjMse9BzSYYr/BC/Qt0
8GBpI3PA4L9n4gKe8ex5LgGVBzttBwJZeBGG5BQBPN9K5ewoqzAIhIn4mpKEssON
htP2775p9m1I1T9qX76GUiNcK29UrEfP47hHDCqR31l15KkBnlU=
=CNFb
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.