Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 793911 (CVE-2021-33203, CVE-2021-33571) - <dev-python/django-{2.2.24,3.1.12,3.2.4}: multiple vulnerabilities (CVE-2021-{33203,33571})
Summary: <dev-python/django-{2.2.24,3.1.12,3.2.4}: multiple vulnerabilities (CVE-2021-...
Status: IN_PROGRESS
Alias: CVE-2021-33203, CVE-2021-33571
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2021-32052
  Show dependency tree
 
Reported: 2021-06-02 15:18 UTC by John Helmert III
Modified: 2021-12-07 20:12 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-2.2.24 dev-python/django-3.1.12 dev-python/django-3.2.4
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-02 15:18:55 UTC
CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.

This issue has medium severity, according to the Django security policy.



Fixes in 2.2.24, 3.1.12, and 3.2.4, please bump.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 22:39:47 UTC
(In reply to John Helmert III from comment #0)
> validate_ipv4_address() and validate_ipv46_address() validators were not
> affected on Python 3.9.5+.

Actually, we've backported this change to all Python versions.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 00:45:34 UTC
amd64 arm arm64 x86 (ALLARCHES) done

all arches done
Comment 3 John Helmert III gentoo-dev Security 2021-06-03 01:54:53 UTC
(In reply to Michał Górny from comment #1)
> (In reply to John Helmert III from comment #0)
> > validate_ipv4_address() and validate_ipv46_address() validators were not
> > affected on Python 3.9.5+.
> 
> Actually, we've backported this change to all Python versions.

Awesome, please cleanup!
Comment 4 Larry the Git Cow gentoo-dev 2021-06-03 06:47:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b3e3bf7a80f42ad655e8b07c0aad43ae2742d0e

commit 7b3e3bf7a80f42ad655e8b07c0aad43ae2742d0e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-06-03 06:44:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-06-03 06:47:47 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/793911
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest               |  12 ----
 dev-python/django/django-2.2.22.ebuild   |  92 ---------------------------
 dev-python/django/django-2.2.23.ebuild   |  92 ---------------------------
 dev-python/django/django-3.1.10.ebuild   |  95 ----------------------------
 dev-python/django/django-3.1.11.ebuild   |  95 ----------------------------
 dev-python/django/django-3.2.2.ebuild    |  94 ----------------------------
 dev-python/django/django-3.2.3-r1.ebuild | 103 -------------------------------
 7 files changed, 583 deletions(-)
Comment 5 John Helmert III gentoo-dev Security 2021-06-03 13:01:59 UTC
Thanks!
Comment 6 NATTkA bot gentoo-dev 2021-07-02 16:08:25 UTC Comment hidden (obsolete)
Comment 7 John Helmert III gentoo-dev Security 2021-07-11 02:59:03 UTC
GLSA request filed.
Comment 8 NATTkA bot gentoo-dev 2021-12-07 20:12:46 UTC
Unable to check for sanity:

> no match for package: dev-python/django-2.2.24