Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799710 (CVE-2021-35042) - <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.order_by() (CVE-2021-35042)
Summary: <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.or...
Status: IN_PROGRESS
Alias: CVE-2021-35042
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-01 14:07 UTC by John Helmert III
Modified: 2022-06-02 22:01 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-3.1.13 dev-python/django-3.2.5
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:07:52 UTC
CVE-2021-35042:

Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.


Fix is in 3.1.13 and 3.2.5, please bump
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 14:31:29 UTC
I'm going to push it shortly.
Comment 2 NATTkA bot gentoo-dev 2021-07-01 14:36:20 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-01 14:44:23 UTC Comment hidden (obsolete)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 20:37:14 UTC
(In reply to Michał Górny from comment #1)
> I'm going to push it shortly.

Thanks!
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-02 06:26:25 UTC
ALLARCHES stable. Closing.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-02 15:48:21 UTC
Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2021-07-02 16:05:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c506557f7b14cca0811349b39c15d2a87fb8984

commit 8c506557f7b14cca0811349b39c15d2a87fb8984
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-07-02 16:01:36 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-07-02 16:05:19 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/799710
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |   4 --
 dev-python/django/django-3.1.12.ebuild |  95 ------------------------------
 dev-python/django/django-3.2.4.ebuild  | 103 ---------------------------------
 3 files changed, 202 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-02 20:57:04 UTC
Thank you!
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:59:04 UTC
GLSA request filed.
Comment 10 NATTkA bot gentoo-dev 2021-09-05 06:36:34 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-12-07 20:12:43 UTC
Unable to check for sanity:

> no match for package: dev-python/django-3.1.13