771627 – <dev-python/django-{2.2.19,3.0.13,3.1.7}: web cache poisoning vulnerability (CVE-2021-23336)

Bug 771627 - <dev-python/django-{2.2.19,3.0.13,3.1.7}: web cache poisoning vulnerability (CVE-2021-23336)

Summary: <dev-python/django-{2.2.19,3.0.13,3.1.7}: web cache poisoning vulnerability (...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.djangoproject.com/weblog/...
Whiteboard:	B3 [glsa? cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-19 16:08 UTC by John Helmert III
Modified:	2022-08-15 04:26 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2021-3281 CVE-2021-23336
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-19 16:08:13 UTC

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.


Fixed in 2.2.19, 3.0.13, 3.1.7. Please bump.

Comment 1 NATTkA bot gentoo-dev

2021-02-19 16:56:51 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-3.1.7

Comment 2 NATTkA bot gentoo-dev

2021-02-19 17:16:52 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 3 Sam James archtester

2021-02-24 23:20:28 UTC

amd64 arm arm64 x86 (ALLARCHES) done

all arches done

Comment 4 NATTkA bot gentoo-dev

2021-02-24 23:20:58 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 5 Sam James archtester

2021-02-24 23:56:34 UTC

Please cleanup, thanks!

Comment 6 Larry the Git Cow gentoo-dev

2021-02-25 07:40:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c05f904ab2693a62671cb6fa7182ffdbb059376

commit 6c05f904ab2693a62671cb6fa7182ffdbb059376
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-25 07:28:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-25 07:40:19 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/771627
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   6 --
 dev-python/django/django-2.2.18.ebuild |  94 ------------------------------
 dev-python/django/django-3.0.12.ebuild | 102 ---------------------------------
 dev-python/django/django-3.1.6.ebuild  |  95 ------------------------------
 4 files changed, 297 deletions(-)

Comment 7 John Helmert III archtester

2021-02-25 16:08:16 UTC

Thank you!

Comment 8 John Helmert III archtester

2021-07-11 02:59:00 UTC

GLSA request filed.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:23:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:32:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:40:18 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:48:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:04:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 18:12:43 UTC

Package list is empty or all packages have requested keywords.