[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989426: unblock: python-django/2:2.2.24-1

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please consider unblocking python-django 2:2.2.24-1. It actually
constitutes two versions, the first addressing security releases which
should be uncontroversial and the second (2:2.2.23-1) fixes a
regression from the previous version. Quoting from the debdiff (which
can be found attached):

   * Fixed a regression in Django 2.2.21 where saving ``FileField`` would raise a
     ``SuspiciousFileOperation`` even when a custom
     :attr:`~django.db.models.FileField.upload_to` returns a valid file path
     (:ticket:`32718`).

This unblock would also incorporate a minor upstream change to the
documentation that points to Libera.chat over Freenode for the
project's IRC channel.

  python-django (2:2.2.24-1) unstable; urgency=medium

    * New upstream security release. (Closes: #989394)

      - CVE-2021-33203: Potential directory traversal via admindocs

        Staff members could use the admindocs TemplateDetailView view to
        check the existence of arbitrary files. Additionally, if (and only
        if) the default admindocs templates have been customized by the
        developers to also expose the file contents, then not only the
        existence but also the file contents would have been exposed.

        As a mitigation, path sanitation is now applied and only files
        within the template root directories can be loaded.

        This issue has low severity, according to the Django security
        policy.

        Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
        the CodeQL Python team for the report.

      - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
        since validators accepted leading zeros in IPv4 addresses

        URLValidator, validate_ipv4_address(), and
        validate_ipv46_address() didn't prohibit leading zeros in octal
        literals. If you used such values you could suffer from
        indeterminate SSRF, RFI, and LFI attacks.

        validate_ipv4_address() and validate_ipv46_address() validators
        were not affected on Python 3.9.5+.

        This issue has medium severity, according to the Django security
        policy.

   -- Chris Lamb <lamby@debian.org>  Wed, 02 Jun 2021 16:15:13 +0100


  python-django (2:2.2.23-1) unstable; urgency=medium

    * New upstream release.
      <https://docs.djangoproject.com/en/3.2/releases/2.2.23/>

   -- Chris Lamb <lamby@debian.org>  Thu, 13 May 2021 10:41:04 +0100


As mentioned above, the full debdiff is attached.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Attachment: debdiff
Description: Binary data

Reply to: