Bug 53411 - python-django: Multiple issues (4.4)
Summary: python-django: Multiple issues (4.4)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 4.4
Hardware: All Linux
: P3 normal
Target Milestone: UCS 4.4-8-errata
Assignee: Quality Assurance
QA Contact: Erik Damrose
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-07 09:39 CEST by Quality Assurance
Modified: 2021-06-09 18:27 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-06-07 09:39:25 CEST 
New Debian python-django 1:1.10.7-2+deb9u14 fixes:
This update addresses the following issues:
* Potential directory traversal via ``admindocs`` (CVE-2021-33203)
* Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted  leading zeros in IPv4 addresses (CVE-2021-33571)
Comment 1 Quality Assurance univentionstaff 2021-06-07 10:00:35 CEST 
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/python-django_1.10.7-2+deb9u13.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/python-django_1.10.7-2+deb9u14.dsc
@@ -1,3 +1,37 @@
+1:1.10.7-2+deb9u14 [Sat, 05 Jun 2021 10:40:51 +0100] Chris Lamb <lamby@debian.org>:
+
+  * Upload from the LTS security team. (Closes: #989394)
+  * CVE-2021-33203: Potential directory traversal via admindocs
+
+    Staff members could use the admindocs TemplateDetailView view to
+    check the existence of arbitrary files. Additionally, if (and only
+    if) the default admindocs templates have been customized by the
+    developers to also expose the file contents, then not only the
+    existence but also the file contents would have been exposed.
+
+    As a mitigation, path sanitation is now applied and only files
+    within the template root directories can be loaded.
+
+    This issue has low severity, according to the Django security
+    policy.
+
+    Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
+    the CodeQL Python team for the report.
+
+  * CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
+    since validators accepted leading zeros in IPv4 addresses
+
+    URLValidator, validate_ipv4_address(), and
+    validate_ipv46_address() didn't prohibit leading zeros in octal
+    literals. If you used such values you could suffer from
+    indeterminate SSRF, RFI, and LFI attacks.
+
+    validate_ipv4_address() and validate_ipv46_address() validators
+    were not affected on Python 3.9.5+.
+
+    This issue has medium severity, according to the Django security
+    policy.
+
 1:1.10.7-2+deb9u13 [Thu, 06 May 2021 10:17:00 +0100] Chris Lamb <lamby@debian.org>:
 
   * CVE-2021-31542: Fix a potential directory-traversal vulnerability that

<http://piuparts.knut.univention.de/4.4-8/#203156406373206464>
Comment 2 Erik Damrose univentionstaff 2021-06-09 09:22:26 CEST 
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-8] ce9711fdbc Bug #53411: python-django 1:1.10.7-2+deb9u14
 doc/errata/staging/python-django.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)