-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1574
                       python-django security update
                                7 May 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
                   Create Arbitrary Files    -- Existing Account
                   Access Confidential Data  -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-31542  

Reference:         ESB-2021.1522

Original Bulletin: 
   http://www.debian.org/lts/security/2021/dla-2651

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2651-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
May 06, 2021                                  https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : python-django
Version        : 1:1.10.7-2+deb9u13
CVE ID         : CVE-2021-31542
Debian Bug     : #988053

It was discovered that there was potential directory-traversal
vulnerability in Django, a popular Python-based web development
framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed
directory-traversal via uploaded files with suitably crafted file
names. In order to mitigate this risk, stricter basename and path
sanitation is now applied. Specifically, empty file names and paths
with dot segments are rejected.

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCTtQ0ACgkQHpU+J9Qx
Hlh0Wg/8DGkgyGOP8oeIWwy7uU3+HycLgB9Z1KvQ3B05H3Bj4sgWBsU3jJ7r9raI
VbC/A3S5aauL3AfjMK4Akd4pkMYhDMBhRCioHrPqMf9dpJvQzKZMU+MhDBlGoPks
UzlZv6uAbgafasXKIY2jdTbOwbjz5F6+prP4+CoYhkibkyY/R8MnpDKZgnE7i1oS
GS5E4qvCyaP2bqoXPEN8uwbV/ZTBYZ45TRTOzTfOXjevjFJBHch7dCwYVyxRaClG
X3Me1cC2lFE2N8FcZZgv5MPysAl83PFbc5sTKntnGKcZSN83Th0iSkwOFpD2sMDE
jZeEGhuZBkPZmZkKsBtIWYe91ZgWqQzifdjWA0hPJ8ZXTsA11mkCGCJRsw9swxrz
rjf+EN7OwKUc627oyEupegTSLd0VQ/n5pE7m27cCMBWrO5CU96/65AJwGWjmd3ZH
jTNa0Mz5npxSfTooDv7PoWiMBCgPqvhdj/UC3cyPAwhFaAfzFy9rnCrg7l+wY3QP
JS9RfylAOs9Vr9Dwdh+GDkIl6NnjLdZ9mqmvImZb2MRXZOtKEVQSCskMwT5Zu5Iu
a0OWC+QUhvEi6LVm+CgWnDSC/eSrYwepJQoGDbp9wKAMQnesg1TnvhxX87GqjE6a
t9zSsOgJtnBaPvKNEB4Yi3TmyIiTE6Eccc46hgU+VP+NfwlJdw8=
=2YmT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYJSLouNLKJtyKPYoAQh1bA//dL5HL+dsZJzUdN2M6m5xKxLJZkGtCHBY
M91BR0IByVgU5f30zCsbapongXqUY82TW/ccom2cfhUMWDh/KphXH4tfqAti7Vwj
EjN0XGIPcVt7Dxsen7+doLOCfP93KgDW7L9yeqEi17AMVTOngxixPdD+1iOayN3R
0HwUuzWJ+V4HRz8clPH6Rgbb9oLwXGaYi2aWshOE2BlA5sDcpiFkMkAqd6p9djPU
aH8d+Mz9wvXLjO3e+88aTpWWrKDAINe/7HHXxwpUL0R6+olMw7CsupyZVFMvStZV
twvlUwzvCTylAl/m8cYQNJN/vCgaT3sTt5x00GdP+9yNIc1IcizwTB22opXR1oCH
DcxJG4AErwQOEzyXTwgG85661FCpWfDKxBBurp+1jkqNvs3iRBOJgJFT1mK2nPE5
d4gks3koawIJDdBSWj0m4NXVRNZLVjFtUx1gZkjTDZ/aQxIEQc0UDPBUyWq6XExt
AHrSEO7KEtK2b9raLxyzk10rNGuDeqqpw9ELSV7oQV5KRyW1AhjtoS8xBJTOdkNK
ZXawnyqGKesSeF+EJCBrq/zQ4X1vyBIv1DFKIHfF61Gl8Py8fNJMlfLw79D7SXUb
RTukBUIoWmSX8e1vaZ1J92V5MjNRt+albn39cxllmTsuq884jqhOpU3U06YLwGnm
yQjyScuI3/M=
=7I7a
-----END PGP SIGNATURE-----