Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 799710 (CVE-2021-35042)

Summary: <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.order_by() (CVE-2021-35042)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
Whiteboard: B3 [glsa cve]
Package list:
dev-python/django-3.1.13 dev-python/django-3.2.5
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:07:52 UTC
CVE-2021-35042:

Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.


Fix is in 3.1.13 and 3.2.5, please bump
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:31:29 UTC
I'm going to push it shortly.
Comment 2 NATTkA bot gentoo-dev 2021-07-01 14:36:20 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-01 14:44:23 UTC Comment hidden (obsolete)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 20:37:14 UTC
(In reply to Michał Górny from comment #1)
> I'm going to push it shortly.

Thanks!
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-02 06:26:25 UTC
ALLARCHES stable. Closing.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-02 15:48:21 UTC
Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2021-07-02 16:05:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c506557f7b14cca0811349b39c15d2a87fb8984

commit 8c506557f7b14cca0811349b39c15d2a87fb8984
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-07-02 16:01:36 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-07-02 16:05:19 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/799710
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   4 --
 dev-python/django/django-3.1.12.ebuild |  95 ------------------------------
 dev-python/django/django-3.2.4.ebuild  | 103 ---------------------------------
 3 files changed, 202 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-02 20:57:04 UTC
Thank you!
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:59:04 UTC
GLSA request filed.
Comment 10 NATTkA bot gentoo-dev 2021-09-05 06:36:34 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-12-07 20:12:43 UTC
Unable to check for sanity:

> no match for package: dev-python/django-3.1.13