Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727106 (CVE-2020-13254, CVE-2020-13596) - <dev-python/django-{2.2.13,3.0.7}: Multiple vulnerabilities (CVE-2020-{13254,13596})
Summary: <dev-python/django-{2.2.13,3.0.7}: Multiple vulnerabilities (CVE-2020-{13254,...
Status: RESOLVED FIXED
Alias: CVE-2020-13254, CVE-2020-13596
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-04 11:08 UTC by Sam James
Modified: 2020-07-27 20:50 UTC (History)
2 users (show)

See Also:
Package list:
=dev-python/django-2.2.13
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-04 11:08:12 UTC
* CVE-2020-13254 

Description:
"In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends."

* CVE-2020-13596

Description:
"Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded."
Comment 1 Sam James gentoo-dev Security 2020-06-20 02:23:25 UTC
@maintainer(s): ping
Comment 2 Sam James gentoo-dev Security 2020-06-25 00:44:08 UTC
Very minor changes (2.2.12 had one bugfix, https://docs.djangoproject.com/en/3.0/releases/2.2.12/) and then 2.2.13 is just security fixes, so if no objections, I'll go ahead?
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 03:20:40 UTC
Yeah, sorry.
Comment 4 Sam James gentoo-dev Security 2020-06-25 15:53:24 UTC
(In reply to Michał Górny from comment #3)
> Yeah, sorry.

No need for apologies!
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-26 06:52:36 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-29 06:26:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Sam James gentoo-dev Security 2020-07-26 15:57:27 UTC
GLSA vote: no.