[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1

Hi Chris,

On Thu, Feb 25, 2021 at 04:42:55PM +0000, Chris Lamb wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Dear stable release managers,
> 
> Please consider python-django (1:1.11.29-1+deb10u1) for buster:
>   
>   python-django (1:1.11.29-1+deb10u1) buster; urgency=high
>   .
>     * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
>       cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
>       added to backport some security fixes. A further security fix has been
>       issued recently such that parse_qsl() no longer allows using ";" as a
>       query parameter separator by default. (Closes: #983090)
>   .
>       For more information, please see:
>   .
>         https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

There are as well yet open other issues (which similarly do not
warrant a DSA), CVE-2021-3281, CVE-2020-24583 and CVE-2020-24584. 
Can you add fixes for those as well?

> The full diff is attached. The security team believe this should go
> via s-p-u rather than via a DLA (if at all):
> 
>    https://bugs.debian.org/983090#27
> 
> Please double-check the version number for me. The current version in
> buster-security is 1:1.11.29-1~deb10u1 (with a tilde).

The version should IMHO be still smaller as 1:1.11.29-1 but
incremented, so I would use 1:1.11.29-1~deb10u2, as it is patched with
respect to 1:1.11.29-1~deb10u1.

Regards,
Salvatore
Reply to: