Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 780579 (CVE-2021-28658)

Summary: <dev-python/django-{2.2.20,3.0.14,3.1.8}: MultiPartParser directory traversal
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
Whiteboard: B4 [glsa? cve]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 13:13:44 UTC 
CVE-2021-28658:

MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names.

Built-in upload handlers were not affected by this vulnerability.


Fixed in 2.2.20, 3.0.14, 3.1.8. Please bump.
Comment 1 NATTkA bot gentoo-dev 2021-04-06 21:28:22 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-04-07 07:24:21 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 07:47:21 UTC 
amd64 arm arm64 x86 (ALLARCHES) done

all arches done
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 15:39:50 UTC 
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2021-04-10 19:36:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c543f8d7dedbea08a123afcf000ae2584c712d8

commit 2c543f8d7dedbea08a123afcf000ae2584c712d8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-04-10 16:40:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-04-10 19:35:58 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/780579
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   6 --
 dev-python/django/django-2.2.19.ebuild |  93 ------------------------------
 dev-python/django/django-3.0.13.ebuild | 101 ---------------------------------
 dev-python/django/django-3.1.7.ebuild  |  94 ------------------------------
 4 files changed, 294 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-11 01:55:46 UTC 
Thanks!
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:59:01 UTC 
GLSA request filed.
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:23:17 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:31:37 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:39:35 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:47:45 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:03:41 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:11:59 UTC 
Package list is empty or all packages have requested keywords.