Univention Bugzilla – Bug 52753
python-django: Multiple issues (4.4)
Last modified: 2021-02-10 17:26:15 CET
New Debian python-django 1:1.10.7-2+deb9u10 fixes: This update addresses the following issue: * Potential directory-traversal via archive.extract() (CVE-2021-3281)
--- mirror/ftp/4.4/unmaintained/4.4-5/source/python-django_1.10.7-2+deb9u9.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/python-django_1.10.7-2+deb9u10.dsc @@ -1,3 +1,15 @@ +1:1.10.7-2+deb9u10 [Mon, 01 Feb 2021 18:15:23 +0000] Chris Lamb <lamby@debian.org>: + + * CVE-2021-3281: Fix a potential directory-traversal via archive.extract(). + + The django.utils.archive.extract() function, used by startapp --template + and startproject --template, allowed directory-traversal via an archive + with absolute paths or relative paths with dot segments. + + <https://www.djangoproject.com/weblog/2021/feb/01/security-releases/> + + (Closes: #981562) + 1:1.10.7-2+deb9u9 [Sat, 13 Jun 2020 15:47:14 +0100] Chris Lamb <lamby@debian.org>: * CVE-2020-13254: Potential a data leakage via malformed memcached keys. <http://10.200.17.11/4.4-7/#203156406377536564>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 8d38b18eb5 Bug #52753: python-django 1:1.10.7-2+deb9u10 doc/errata/staging/python-django.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x890>