Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1
Hi Julien,
> I'm not convinced the regression risk here, of changing the longstanding
> behaviour, is worth it. People using a caching reverse proxy with a
> different config wrt query strings can just as well fix the issue on
> that end.
Fair enough. However, do note that this changelog was superseded by
the following:
python-django (1:1.11.29-1~deb10u2) buster; urgency=medium
* CVE-2020-24583: Fix incorrect permissions on intermediate-level directories
on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
intermediate-level directories created in the process of uploading files
and to intermediate-level collected static directories when using the
collectstatic management command. You should review and manually fix
permissions on existing intermediate-level directories. (Closes: #969367)
* CVE-2020-24584: Correct permission escalation vulnerability in
intermediate-level directories of the file system cache. On Python 3.7 and
above, the intermediate-level directories of the file system cache had the
system's standard umask rather than 0o077 (no group or others permissions).
(Closes: #969367)
* CVE-2021-3281: Fix a potential directory-traversal exploit via
archive.extract(). The django.utils.archive.extract() function, used by
startapp --template and startproject --template, allowed directory
traversal via an archive with absolute paths or relative paths with dot
segments. (Closes: #981562)
* CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
added to backport some security fixes. A further security fix has been
issued recently such that parse_qsl() no longer allows using ";" as a query
parameter separator by default. (Closes: #983090)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: