Accepted python-django 2:3.2.4-1 (source) into experimental
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 02 Jun 2021 16:08:13 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:3.2.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 989394
Changes:
python-django (2:3.2.4-1) experimental; urgency=medium
.
* New upstream security release. (Closes: #989394)
.
- CVE-2021-33203: Potential directory traversal via admindocs
.
Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.
.
As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.
.
This issue has low severity, according to the Django security
policy.
.
Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.
.
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses
.
URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.
.
validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.
.
This issue has medium severity, according to the Django security
policy.
.
* Bump Standards-Version to 4.5.1.
Checksums-Sha1:
4ee1eed1a0e6fedf485170c4ebaa6f05d3bc69a6 2779 python-django_3.2.4-1.dsc
7b0875627bfd044cbfd3c9dc4b87c653a3cbe2dc 9824343 python-django_3.2.4.orig.tar.gz
f27a1a167c94f01a9091d686acb87261b45cf5b4 27032 python-django_3.2.4-1.debian.tar.xz
78698ba6396279c6d28add969aa37f805a31b571 7554 python-django_3.2.4-1_amd64.buildinfo
Checksums-Sha256:
c045b9445260288da3d6f7277c021e7bb48c00a75cb7e99c847523b7a8d637e0 2779 python-django_3.2.4-1.dsc
66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296 9824343 python-django_3.2.4.orig.tar.gz
db66b00bd8120de0d96702b9a7890d4705e9fddfc44cedddf3987d6ca45ff7c6 27032 python-django_3.2.4-1.debian.tar.xz
3df5a500a06c8134046c67998d042083a4c28a2e004e318c3009060b7918ef16 7554 python-django_3.2.4-1_amd64.buildinfo
Files:
50510e7b32ffd8e048d5da8868000399 2779 python optional python-django_3.2.4-1.dsc
2f30db9154efb8c9ed891781d29fae2a 9824343 python optional python-django_3.2.4.orig.tar.gz
96a44ad690e88af965d761690de5f506 27032 python optional python-django_3.2.4-1.debian.tar.xz
440686c732564cd131064c3a67ef23d6 7554 python optional python-django_3.2.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC3oAgACgkQHpU+J9Qx
Hljl7A/+J4+TQSth0z57OKUhEKOw26Eg/waSzRcB/i/5e06DaGDGSdKz2AubYG0i
PUKei4AuK3xkXVqCTO/QZLrCl3XlI3MNGFsyo8MP0kIm8VvyX1P0yfXfT1ckUNhu
IysWW1GKF3Aj9FxuQf+ZlUwLB3OQL6ciToQL089I3BTxoXPWO3zNiuqHyCgKuuXk
PcdhaucQwe/ujYU6DZidckpxkkFaq9/C3fLyINEU/lXxsJ58N51OjYKxEPiJ4r4m
zXAKNc9ZTCgZGql3PVqF2Xqv/zcedOQsFWHnyPEwico6H825BOS39/kt2zBzo0ds
EoXwj6wstPjD30qC7W3iE0VDa0XyD75ElfXW1t/XVyqq1oQrcLtsGek2H0QZhv4l
q252jgVH0Z0glTGRDhgCvqMURrvf5mzJwRYMv3JKY+Rx1DJWNagFj/SrzxRc44SN
5z5Ui3NhAFwiDvlF64s+4nW7bKPiiVbb9asSXEVDqiXK0q2NjZ3xUhyTddWadCXm
lDp0FVnHk2vTJR/XmPn1KBK4gN0+9xGvH3yOpz3Mkr6YUcJwHb30x9Sgroj6w/uu
ZbmvtsoiALnRWXWNAfVRvZMPKisj9RxC1J6PzcA2YS7qbzHggQD5pry+smjCHSR1
cZ4Ml0HrvtwYb7TqSJn+KcKyGHYOGgZE4QOCr1D0KII4dbAxN80=
=+Oi4
-----END PGP SIGNATURE-----
Reply to: