Bug 771627

Summary:	<dev-python/django-{2.2.19,3.0.13,3.1.7}: web cache poisoning vulnerability (CVE-2021-23336)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	mgorny, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=768240 https://bugs.gentoo.org/show_bug.cgi?id=770853
Whiteboard:	B3 [glsa? cve]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-19 16:08:13 UTC

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.


Fixed in 2.2.19, 3.0.13, 3.1.7. Please bump.

Comment 1 NATTkA bot gentoo-dev

2021-02-19 16:56:51 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-3.1.7

Comment 2 NATTkA bot gentoo-dev

2021-02-19 17:16:52 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 3 Sam James archtester

2021-02-24 23:20:28 UTC

amd64 arm arm64 x86 (ALLARCHES) done

all arches done

Comment 4 NATTkA bot gentoo-dev

2021-02-24 23:20:58 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 5 Sam James archtester

2021-02-24 23:56:34 UTC

Please cleanup, thanks!

Comment 6 Larry the Git Cow gentoo-dev

2021-02-25 07:40:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c05f904ab2693a62671cb6fa7182ffdbb059376

commit 6c05f904ab2693a62671cb6fa7182ffdbb059376
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-25 07:28:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-25 07:40:19 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/771627
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   6 --
 dev-python/django/django-2.2.18.ebuild |  94 ------------------------------
 dev-python/django/django-3.0.12.ebuild | 102 ---------------------------------
 dev-python/django/django-3.1.6.ebuild  |  95 ------------------------------
 4 files changed, 297 deletions(-)

Comment 7 John Helmert III archtester

2021-02-25 16:08:16 UTC

Thank you!

Comment 8 John Helmert III archtester

2021-07-11 02:59:00 UTC

GLSA request filed.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:23:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:32:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:40:18 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:48:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:04:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 18:12:43 UTC

Package list is empty or all packages have requested keywords.