CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. This issue has medium severity, according to the Django security policy. Fixes in 2.2.24, 3.1.12, and 3.2.4, please bump.
(In reply to John Helmert III from comment #0) > validate_ipv4_address() and validate_ipv46_address() validators were not > affected on Python 3.9.5+. Actually, we've backported this change to all Python versions.
amd64 arm arm64 x86 (ALLARCHES) done all arches done
(In reply to Michał Górny from comment #1) > (In reply to John Helmert III from comment #0) > > validate_ipv4_address() and validate_ipv46_address() validators were not > > affected on Python 3.9.5+. > > Actually, we've backported this change to all Python versions. Awesome, please cleanup!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b3e3bf7a80f42ad655e8b07c0aad43ae2742d0e commit 7b3e3bf7a80f42ad655e8b07c0aad43ae2742d0e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-06-03 06:44:37 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-06-03 06:47:47 +0000 dev-python/django: Remove old Bug: https://bugs.gentoo.org/793911 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/django/Manifest | 12 ---- dev-python/django/django-2.2.22.ebuild | 92 --------------------------- dev-python/django/django-2.2.23.ebuild | 92 --------------------------- dev-python/django/django-3.1.10.ebuild | 95 ---------------------------- dev-python/django/django-3.1.11.ebuild | 95 ---------------------------- dev-python/django/django-3.2.2.ebuild | 94 ---------------------------- dev-python/django/django-3.2.3-r1.ebuild | 103 ------------------------------- 7 files changed, 583 deletions(-)
Thanks!
Unable to check for sanity: > no match for package: dev-python/django-3.1.12
GLSA request filed.
Unable to check for sanity: > no match for package: dev-python/django-2.2.24