799710 – (CVE-2021-35042) <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.order_by() (CVE-2021-35042)

Bug 799710 (CVE-2021-35042) - <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.order_by() (CVE-2021-35042)

Summary: <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.or...

Status:	IN_PROGRESS

Alias:	CVE-2021-35042

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.djangoproject.com/weblog/...
Whiteboard:	B3 [glsa? cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-07-01 14:07 UTC by John Helmert III
Modified:	2023-10-06 10:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-python/django-3.1.13 dev-python/django-3.2.5
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-01 14:07:52 UTC

CVE-2021-35042:

Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.


Fix is in 3.1.13 and 3.2.5, please bump

Comment 1 Michał Górny archtester

2021-07-01 14:31:29 UTC

I'm going to push it shortly.

Comment 2 NATTkA bot gentoo-dev

2021-07-01 14:36:20 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-3.1.13

Comment 3 NATTkA bot gentoo-dev

2021-07-01 14:44:23 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 4 John Helmert III archtester

2021-07-01 20:37:14 UTC

(In reply to Michał Górny from comment #1)
> I'm going to push it shortly.

Thanks!

Comment 5 Agostino Sarubbo gentoo-dev

2021-07-02 06:26:25 UTC

ALLARCHES stable. Closing.

Comment 6 John Helmert III archtester

2021-07-02 15:48:21 UTC

Please cleanup.

Comment 7 Larry the Git Cow gentoo-dev

2021-07-02 16:05:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c506557f7b14cca0811349b39c15d2a87fb8984

commit 8c506557f7b14cca0811349b39c15d2a87fb8984
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-07-02 16:01:36 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-07-02 16:05:19 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/799710
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   4 --
 dev-python/django/django-3.1.12.ebuild |  95 ------------------------------
 dev-python/django/django-3.2.4.ebuild  | 103 ---------------------------------
 3 files changed, 202 deletions(-)

Comment 8 John Helmert III archtester

2021-07-02 20:57:04 UTC

Thank you!

Comment 9 John Helmert III archtester

2021-07-11 02:59:04 UTC

GLSA request filed.

Comment 10 NATTkA bot gentoo-dev

2021-09-05 06:36:34 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-3.2.5

Comment 11 NATTkA bot gentoo-dev

2021-12-07 20:12:43 UTC

Unable to check for sanity:

> no match for package: dev-python/django-3.1.13