Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
Chris Lamb wrote:
> Please find an updated patch attached, which also adopts your
> suggested version number:
The patch I *just* sent contained a binary portion which (judging by
the large number of bounces I just received!) will not have reached
many of the intended recipients. Therefore, please see:
https://bugs.debian.org/983526#15
… for the original version of the message and the attachment. For
easy reference, however, the changelog entry is:
Source: python-django
Version: 1:1.11.29-1~deb10u2
Distribution: buster
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Timestamp: 1614334069
Date: Fri, 26 Feb 2021 10:07:49 +0000
Closes: 969367 981562 983090
Changes:
python-django (1:1.11.29-1~deb10u2) buster; urgency=medium
.
* CVE-2020-24583: Fix incorrect permissions on intermediate-level directories
on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
intermediate-level directories created in the process of uploading files
and to intermediate-level collected static directories when using the
collectstatic management command. You should review and manually fix
permissions on existing intermediate-level directories. (Closes: #969367)
.
* CVE-2020-24584: Correct permission escalation vulnerability in
intermediate-level directories of the file system cache. On Python 3.7 and
above, the intermediate-level directories of the file system cache had the
system's standard umask rather than 0o077 (no group or others permissions).
(Closes: #969367)
.
* CVE-2021-3281: Fix a potential directory-traversal exploit via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template, allowed directory
traversal via an archive with absolute paths or relative paths with dot
segments. (Closes: #981562)
.
* CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a query
parameter separator by default. (Closes: #983090)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: