Univention Bugzilla – Bug 53237
python-django: Multiple issues (4.4)
Last modified: 2021-05-26 15:34:01 CEST
New Debian python-django 1:1.10.7-2+deb9u13 fixes: This update addresses the following issue: * Potential directory-traversal via uploaded files (CVE-2021-31542)
--- mirror/ftp/4.4/unmaintained/4.4-8/source/python-django_1.10.7-2+deb9u12.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/python-django_1.10.7-2+deb9u13.dsc @@ -1,3 +1,12 @@ +1:1.10.7-2+deb9u13 [Thu, 06 May 2021 10:17:00 +0100] Chris Lamb <lamby@debian.org>: + + * CVE-2021-31542: Fix a potential directory-traversal vulnerability that + could have been exploited by uploaded files. The MultiPartParser, + UploadedFile and FieldFile classes allowed directory-traversal via uploaded + files with suitably crafted file names. In order to mitigate this risk, + stricter basename and path sanitation is now applied. Specifically, empty + file names and paths with dot segments are rejected. (Closes: #988053) + 1:1.10.7-2+deb9u12 [Fri, 09 Apr 2021 12:28:23 +0100] Chris Lamb <lamby@debian.org>: * CVE-2021-28658: Prevent a directory traversal issue which could have been <http://piuparts.knut.univention.de/4.4-8/#203156406378619089>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] e7c7c800b5 Bug #53237: python-django 1:1.10.7-2+deb9u13 doc/errata/staging/python-django.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) ~~: python-pathlib added as new depencendy OK: python-pathlib.yaml, added to maintained Verified
<https://errata.software-univention.de/#/?erratum=4.4x982> <https://errata.software-univention.de/#/?erratum=4.4x983>