Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5448 python-django security update 31 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-34265 CVE-2021-23336 CVE-2021-3281 CVE-2020-24584 CVE-2020-24583 Original Bulletin: http://www.debian.org/lts/security/2022/dla-3164 Comment: CVSS (Max): 9.8 CVE-2022-34265 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3164-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb October 28, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python-django Version : 1:1.11.29-1+deb10u2 CVE IDs : CVE-2020-24583 CVE-2020-24584 CVE-2021-3281 CVE-2021-23336 CVE-2022-34265 Debian Bugs : 969367 981562 983090 1014541 Multiple vulnerabilities were discovered in Django, a popular Python-based web development framework: * CVE-2020-24583: Fix incorrect permissions on intermediate-level directories on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command. You should review and manually fix permissions on existing intermediate-level directories. * CVE-2020-24584: Correct permission escalation vulnerability in intermediate-level directories of the file system cache. On Python 3.7 and above, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions). * CVE-2021-3281: Fix a potential directory-traversal exploit via archive.extract(). The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory traversal via an archive with absolute paths or relative paths with dot segments. * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ";" as a query parameter separator by default. * CVE-2022-34265: The Trunc() and Extract() database functions were subject to a potential SQL injection attach if untrusted data was used as a value for the "kind" or "lookup_name" parameters. Applications that constrain the choice to a known safe list were unaffected. For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u2. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNb/vYACgkQHpU+J9Qx Hlimnw//cHT3I4YAF8QE0rUS6Ob0Eu2CCoQ3HCvDSQwFwTrr+b9vI8b25iGo/dVp Rs2K+p9qhrfM0KKOcyaROrdWMJiRKSk7IcCnTrW/h/6dSizH9V4RKGw/RV1VYBJN v9XnJBt76BfX1J7KWdlDinmYInz8BTt5GHOxNosgH2YHbToXiLuXtiULcxtkj8Xd yLF+VBveUObihtL6Uyq5d8XYwP1WmT6FdznThMEc2tlcHiDyaHwE6NUi1ApK+Fh7 9rvt+C0t/XwqZuGJCVibIQYo1odYjUtFdzSm07kwHQyTFCqERpeWP+n8l4R0jSbD vf4eLLlWAFyCpGNnZgS30IfAsyBYHK3ACeQKyrHg45TaZIWyfbVzOtbzL3VJ4jmi YpuoWr2CgujHGtRgZPSOrZ++hf2CeP3j30rvfoC+H8McrCzVu1lLDEM/f+Qy1ejr xR9/cvfmGfws7mTY/FVT6APrtW55XZ9opTLXfG5vPj5RoZwrB6I3PH4f9BhGHdCn QEJezBde2TBJSPCMr1sj/zsfWOHEEusdQ7OaSqL2tvf5U1koAEAtGAnpYGhFIDeG cPySRgNEn5bxW4TBBNGR0rp6Lctr0hIVz4pxb+3kzqwR3x4tf3vfEWZCABloodw1 zHk2VQ8QBDmXj4p7Q1y7dnj4K3BaTvR5YROa4f3qhk76w14NnXY= =SxA0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY18rBskNZI30y1K9AQg8dQ/+PJdc+oDj6ADtl/Wn68tVzl7QHW3h2J/l rU3hI8rVavrDAp9VGBOns9Bav0r5kU54wWTHvvB8YDIBCGoGhOdoOAlum1Incds7 5tea2VEyFLxBKaKh8aU3V1oboZiuCqtpUfTlI/4XZfgQPNFeCIfiAWAZSD6ZWAkL luzf1cKr1r9EVjgsU5G8MyIVKS/1jKJgCaVL4wjmIxo+2nXC5HUheFrlkzpEUsL3 vGyAlj1ONHH/wJ28KoziFf7inCThMtZ4wNUMxva6gucb0GdWNNaLZHqFI6zdnnA6 3pKxHW2dDmWzaYBO/Nc8hC2a0dXnBZKFaL6rQNxIA5yUr350O/BuXgvDd0WYpDNC vLyMyIBf6pEp24cJlWtlzZp34HAYLrP5eR8jwo0teIUELbe5y04mpvT9GwwUJNhF FmSaZb89wV5GjyrzJ9QugBE5uIwgQ0tpS5FDIoLp5RpeMVe4ROCr4404IBdvSDJv jUlKIrEhsHi5/l+gdpBPBHGgmd5jGApBGHKcpT8hC37sx6FSyXIkLZTPMXYO8exS 9L+MwysAe49ZFuN0Vkz0tsPHpYO/cwmuI7tQVKivpdZNRjzX4DdAHg3bM+LnGvaa gtSeBBejdd1DitQx154KNuqbS6jCyBNvrupYqrhNFScNM++QKRnZpvs6lTXpy0nK MjP0m2+myGE= =D7OO -----END PGP SIGNATURE-----