ArchLinux: 202102-18: python-django: directory traversal
Summary
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Resolution
Upgrade to 3.1.6-1.
# pacman -Syu "python-django>=3.1.6-1"
The problem has been fixed upstream in version 3.1.6.
References
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/ https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624 https://security.archlinux.org/CVE-2021-3281
Workaround
None.