Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780579 (CVE-2021-28658) - <dev-python/django-{2.2.20,3.0.14,3.1.8}: MultiPartParser directory traversal
Summary: <dev-python/django-{2.2.20,3.0.14,3.1.8}: MultiPartParser directory traversal
Status: CONFIRMED
Alias: CVE-2021-28658
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [glsa? cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-06 13:13 UTC by John Helmert III
Modified: 2022-08-15 04:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 13:13:44 UTC
CVE-2021-28658:

MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names.

Built-in upload handlers were not affected by this vulnerability.


Fixed in 2.2.20, 3.0.14, 3.1.8. Please bump.
Comment 1 NATTkA bot gentoo-dev 2021-04-06 21:28:22 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-04-07 07:24:21 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 07:47:21 UTC
amd64 arm arm64 x86 (ALLARCHES) done

all arches done
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 15:39:50 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2021-04-10 19:36:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c543f8d7dedbea08a123afcf000ae2584c712d8

commit 2c543f8d7dedbea08a123afcf000ae2584c712d8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-04-10 16:40:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-04-10 19:35:58 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/780579
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   6 --
 dev-python/django/django-2.2.19.ebuild |  93 ------------------------------
 dev-python/django/django-3.0.13.ebuild | 101 ---------------------------------
 dev-python/django/django-3.1.7.ebuild  |  94 ------------------------------
 4 files changed, 294 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-11 01:55:46 UTC
Thanks!
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:59:01 UTC
GLSA request filed.
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:23:17 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:31:37 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:39:35 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:47:45 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:03:41 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:11:59 UTC
Package list is empty or all packages have requested keywords.