Bug 52824 - python-django: Multiple issues (4.4)
Summary: python-django: Multiple issues (4.4)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 4.4
Hardware: All Linux
: P3 normal
Target Milestone: UCS 4.4-7-errata
Assignee: Quality Assurance
QA Contact: Erik Damrose
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-22 10:35 CET by Quality Assurance
Modified: 2021-02-24 16:52 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-02-22 10:35:45 CET 
New Debian python-django 1:1.10.7-2+deb9u11 fixes:
This update addresses the following issue:
* Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by  using a semicolon in query parameters (CVE-2021-23336)
Comment 1 Quality Assurance univentionstaff 2021-02-22 11:00:16 CET 
--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/python-django_1.10.7-2+deb9u10.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/python-django_1.10.7-2+deb9u11.dsc
@@ -1,3 +1,15 @@
+1:1.10.7-2+deb9u11 [Fri, 19 Feb 2021 12:21:16 +0000] Chris Lamb <lamby@debian.org>:
+
+  * Apply security fix from upstream:
+
+    - CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
+      cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
+      added to backport some security fixes. A further security fix has been
+      issued recently such that parse_qsl() no longer allows using ";" as a
+      query parameter separator by default. (Closes: #983090)
+
+    <https://www.djangoproject.com/weblog/2021/feb/19/security-releases/>
+
 1:1.10.7-2+deb9u10 [Mon, 01 Feb 2021 18:15:23 +0000] Chris Lamb <lamby@debian.org>:
 
   * CVE-2021-3281: Fix a potential directory-traversal via archive.extract().

<http://10.200.17.11/4.4-7/#203156406376454039>
Comment 2 Erik Damrose univentionstaff 2021-02-24 15:32:45 CET 
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] cf36c8d51b Bug #52824: python-django 1:1.10.7-2+deb9u11
 doc/errata/staging/python-django.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)