Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1

To: "Salvatore Bonaccorso" <carnil@debian.org>, 983526@bugs.debian.org
Cc: "Debian Security Team" <team@security.debian.org>
Subject: Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
From: "Chris Lamb" <lamby@debian.org>
Date: Fri, 26 Feb 2021 13:03:34 +0000
Message-id: <[🔎] 757721a5-61a0-462b-8ee8-532041f91fa5@www.fastmail.com>
Reply-to: "Chris Lamb" <lamby@debian.org>, 983526@bugs.debian.org
In-reply-to: <[🔎] a9d5db29-4a9c-478e-808a-39cba10ba647@www.fastmail.com>
References: <[🔎] 161427129057.3025921.16152510416029539564@tinycat.chris-lamb.co.uk> <YDf8Z4EL4ogVRn/h@eldamar.lan> <[🔎] a9d5db29-4a9c-478e-808a-39cba10ba647@www.fastmail.com> <[🔎] 161427129057.3025921.16152510416029539564@tinycat.chris-lamb.co.uk>

Chris Lamb wrote:

> Please find an updated patch attached, which also adopts your
> suggested version number:

The patch I *just* sent contained a binary portion which (judging by
the large number of bounces I just received!) will not have reached
many of the intended recipients. Therefore, please see:

   https://bugs.debian.org/983526#15

… for the original version of the message and the attachment. For
easy reference, however, the changelog entry is:

  Source: python-django
  Version: 1:1.11.29-1~deb10u2
  Distribution: buster
  Urgency: medium
  Maintainer: Chris Lamb <lamby@debian.org>
  Timestamp: 1614334069
  Date: Fri, 26 Feb 2021 10:07:49 +0000
  Closes: 969367 981562 983090
  Changes:
   python-django (1:1.11.29-1~deb10u2) buster; urgency=medium
   .
     * CVE-2020-24583: Fix incorrect permissions on intermediate-level directories
       on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
       intermediate-level directories created in the process of uploading files
       and to intermediate-level collected static directories when using the
       collectstatic management command. You should review and manually fix
       permissions on existing intermediate-level directories. (Closes: #969367)
   .
     * CVE-2020-24584: Correct permission escalation vulnerability in
       intermediate-level directories of the file system cache. On Python 3.7 and
       above, the intermediate-level directories of the file system cache had the
       system's standard umask rather than 0o077 (no group or others permissions).
       (Closes: #969367)
   .
     * CVE-2021-3281: Fix a potential directory-traversal exploit via
       archive.extract(). The django.utils.archive.extract() function, used by
       startapp --template and startproject --template, allowed directory
       traversal via an archive with absolute paths or relative paths with dot
       segments. (Closes: #981562)
   .
     * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
       cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
       added to backport some security fixes. A further security fix has been
       issued recently such that parse_qsl() no longer allows using ";" as a query
       parameter separator by default. (Closes: #983090)


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

References:
- Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
  - From: "Chris Lamb" <lamby@debian.org>
- Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
Next by Date: Re: firmware-nonfree 20210208-1 upload
Previous by thread: Processed: Re: Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
Next by thread: Bug#983527: buster-pu: package redis/5:5.0.3-4+deb10u3
Index(es):
- Date
- Thread