Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5448
python-django security update
31 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-34265 CVE-2021-23336 CVE-2021-3281
CVE-2020-24584 CVE-2020-24583
Original Bulletin:
http://www.debian.org/lts/security/2022/dla-3164
Comment: CVSS (Max): 9.8 CVE-2022-34265 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3164-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
October 28, 2022 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python-django
Version : 1:1.11.29-1+deb10u2
CVE IDs : CVE-2020-24583 CVE-2020-24584 CVE-2021-3281
CVE-2021-23336 CVE-2022-34265
Debian Bugs : 969367 981562 983090 1014541
Multiple vulnerabilities were discovered in Django, a popular
Python-based web development framework:
* CVE-2020-24583: Fix incorrect permissions on intermediate-level
directories on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode
was not applied to intermediate-level directories created in the
process of uploading files and to intermediate-level collected
static directories when using the collectstatic management
command. You should review and manually fix permissions on
existing intermediate-level directories.
* CVE-2020-24584: Correct permission escalation vulnerability in
intermediate-level directories of the file system cache. On Python
3.7 and above, the intermediate-level directories of the file
system cache had the system's standard umask rather than 0o077 (no
group or others permissions).
* CVE-2021-3281: Fix a potential directory-traversal exploit via
archive.extract(). The django.utils.archive.extract() function,
used by startapp --template and startproject --template, allowed
directory traversal via an archive with absolute paths or relative
paths with dot segments.
* CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl()
which was added to backport some security fixes. A further
security fix has been issued recently such that parse_qsl() no
longer allows using ";" as a query parameter separator by default.
* CVE-2022-34265: The Trunc() and Extract() database functions were
subject to a potential SQL injection attach if untrusted data was
used as a value for the "kind" or "lookup_name" parameters.
Applications that constrain the choice to a known safe list were
unaffected.
For Debian 10 buster, these problems have been fixed in version
1:1.11.29-1+deb10u2.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmNb/vYACgkQHpU+J9Qx
Hlimnw//cHT3I4YAF8QE0rUS6Ob0Eu2CCoQ3HCvDSQwFwTrr+b9vI8b25iGo/dVp
Rs2K+p9qhrfM0KKOcyaROrdWMJiRKSk7IcCnTrW/h/6dSizH9V4RKGw/RV1VYBJN
v9XnJBt76BfX1J7KWdlDinmYInz8BTt5GHOxNosgH2YHbToXiLuXtiULcxtkj8Xd
yLF+VBveUObihtL6Uyq5d8XYwP1WmT6FdznThMEc2tlcHiDyaHwE6NUi1ApK+Fh7
9rvt+C0t/XwqZuGJCVibIQYo1odYjUtFdzSm07kwHQyTFCqERpeWP+n8l4R0jSbD
vf4eLLlWAFyCpGNnZgS30IfAsyBYHK3ACeQKyrHg45TaZIWyfbVzOtbzL3VJ4jmi
YpuoWr2CgujHGtRgZPSOrZ++hf2CeP3j30rvfoC+H8McrCzVu1lLDEM/f+Qy1ejr
xR9/cvfmGfws7mTY/FVT6APrtW55XZ9opTLXfG5vPj5RoZwrB6I3PH4f9BhGHdCn
QEJezBde2TBJSPCMr1sj/zsfWOHEEusdQ7OaSqL2tvf5U1koAEAtGAnpYGhFIDeG
cPySRgNEn5bxW4TBBNGR0rp6Lctr0hIVz4pxb+3kzqwR3x4tf3vfEWZCABloodw1
zHk2VQ8QBDmXj4p7Q1y7dnj4K3BaTvR5YROa4f3qhk76w14NnXY=
=SxA0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY18rBskNZI30y1K9AQg8dQ/+PJdc+oDj6ADtl/Wn68tVzl7QHW3h2J/l
rU3hI8rVavrDAp9VGBOns9Bav0r5kU54wWTHvvB8YDIBCGoGhOdoOAlum1Incds7
5tea2VEyFLxBKaKh8aU3V1oboZiuCqtpUfTlI/4XZfgQPNFeCIfiAWAZSD6ZWAkL
luzf1cKr1r9EVjgsU5G8MyIVKS/1jKJgCaVL4wjmIxo+2nXC5HUheFrlkzpEUsL3
vGyAlj1ONHH/wJ28KoziFf7inCThMtZ4wNUMxva6gucb0GdWNNaLZHqFI6zdnnA6
3pKxHW2dDmWzaYBO/Nc8hC2a0dXnBZKFaL6rQNxIA5yUr350O/BuXgvDd0WYpDNC
vLyMyIBf6pEp24cJlWtlzZp34HAYLrP5eR8jwo0teIUELbe5y04mpvT9GwwUJNhF
FmSaZb89wV5GjyrzJ9QugBE5uIwgQ0tpS5FDIoLp5RpeMVe4ROCr4404IBdvSDJv
jUlKIrEhsHi5/l+gdpBPBHGgmd5jGApBGHKcpT8hC37sx6FSyXIkLZTPMXYO8exS
9L+MwysAe49ZFuN0Vkz0tsPHpYO/cwmuI7tQVKivpdZNRjzX4DdAHg3bM+LnGvaa
gtSeBBejdd1DitQx154KNuqbS6jCyBNvrupYqrhNFScNM++QKRnZpvs6lTXpy0nK
MjP0m2+myGE=
=D7OO
-----END PGP SIGNATURE-----