+CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected.
Fixed versions: dev-python/django-3.2.1 dev-python/django-3.1.9 dev-python/django-2.2.21 3.0 branch is EOL, so it'll have to be removed.
Unable to check for sanity: > no match for package: dev-python/django-3.1.9
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
ALLARCHES stable. Closing.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e80c1390384fd9da00c8f2f3f6a8a88389ecff commit 18e80c1390384fd9da00c8f2f3f6a8a88389ecff Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-05-06 07:21:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-05-06 07:33:02 +0000 dev-python/django: Remove vulnerable versions Bug: https://bugs.gentoo.org/788130 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/django/Manifest | 8 --- dev-python/django/django-2.2.20.ebuild | 93 -------------------------- dev-python/django/django-3.0.14-r1.ebuild | 106 ------------------------------ dev-python/django/django-3.1.8-r1.ebuild | 99 ---------------------------- dev-python/django/django-3.2.ebuild | 95 -------------------------- 5 files changed, 401 deletions(-)
(In reply to Agostino Sarubbo from comment #4) > ALLARCHES stable. Closing. Time to fix your scripts ;)
(In reply to Sam James from comment #6) > (In reply to Agostino Sarubbo from comment #4) > > ALLARCHES stable. Closing. > > Time to fix your scripts ;) Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list FTR It happens where allarches is set. Thanks
(In reply to Agostino Sarubbo from comment #7) > (In reply to Sam James from comment #6) > > (In reply to Agostino Sarubbo from comment #4) > > > ALLARCHES stable. Closing. > > > > Time to fix your scripts ;) > > Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list > FTR It happens where allarches is set. > Thanks No worries, I wasn’t sure if you saw but it’s not a big deal at all :)
cleanup done.
GLSA request filed.