Bug 727106 (CVE-2020-13254, CVE-2020-13596)

Summary:	<dev-python/django-{2.2.13,3.0.7}: Multiple vulnerabilities (CVE-2020-{13254,13596})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mgorny, python
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Whiteboard:	B4 [noglsa cve]
Package list:	=dev-python/django-2.2.13	Runtime testing required:	---

Description Sam James archtester

2020-06-04 11:08:12 UTC

* CVE-2020-13254 

Description:
"In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends."

* CVE-2020-13596

Description:
"Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded."

Comment 1 Sam James archtester

2020-06-20 02:23:25 UTC

@maintainer(s): ping

Comment 2 Sam James archtester

2020-06-25 00:44:08 UTC

Very minor changes (2.2.12 had one bugfix, https://docs.djangoproject.com/en/3.0/releases/2.2.12/) and then 2.2.13 is just security fixes, so if no objections, I'll go ahead?

Comment 3 Michał Górny archtester

2020-06-25 03:20:40 UTC

Yeah, sorry.

Comment 4 Sam James archtester

2020-06-25 15:53:24 UTC

(In reply to Michał Górny from comment #3)
> Yeah, sorry.

No need for apologies!

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-26 06:52:36 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-06-29 06:26:29 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Sam James archtester

2020-07-26 15:57:27 UTC

GLSA vote: no.