CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl() Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details. Fixed in 2.2.19, 3.0.13, 3.1.7. Please bump.
Unable to check for sanity: > no match for package: dev-python/django-3.1.7
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
amd64 arm arm64 x86 (ALLARCHES) done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c05f904ab2693a62671cb6fa7182ffdbb059376 commit 6c05f904ab2693a62671cb6fa7182ffdbb059376 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-25 07:28:57 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-25 07:40:19 +0000 dev-python/django: Remove old Bug: https://bugs.gentoo.org/771627 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/django/Manifest | 6 -- dev-python/django/django-2.2.18.ebuild | 94 ------------------------------ dev-python/django/django-3.0.12.ebuild | 102 --------------------------------- dev-python/django/django-3.1.6.ebuild | 95 ------------------------------ 4 files changed, 297 deletions(-)
Thank you!
GLSA request filed.
Package list is empty or all packages have requested keywords.