Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 620
Alerts This Week
Warning Icon 1 620

Mageia: 2021-0356 Moderate: Python-Django Directory Traversal Threat

mageia
Calendar Grey July 16, 2021
Dist Mageia Esm H88
The latest update of Mageia’s python-django package addresses numerous security vulnerabilities, enhancing protection against potential cross-site scripting vulnerabilities.
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names

Summary

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability (CVE-2021-28658).
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names (CVE-2021-31542).
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the ...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=28802

- https://www.djangoproject.com/weblog/2021/apr/06/security-releases/

- https://www.djangoproject.com/weblog/2021/may/04/security-releases/

- https://www.djangoproject.com/weblog/2021/may/06/security-releases/

- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

- https://docs.djangoproject.com/en/dev/releases/3.1.8/

- https://docs.djangoproject.com/en/dev/releases/3.1.9/

- https://docs.djangoproject.com/en/dev/releases/3.1.10/

- https://docs.djangoproject.com/en/dev/releases/3.1.11/

- https://docs.djangoproject.com/en/dev/releases/3.1.12/

- https://docs.djangoproject.com/en/dev/releases/3.1.13/

- https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html

- https://ubuntu.com/security/notices/USN-4902-1

- https://ubuntu.com/security/notices/USN-4932-1

- https://ubuntu.com/security/notices/USN-4975-1

- https://www.cve.org/CVERecord?id=CVE-2021-28658

- https://www.cve.org/CVERecord?id=CVE-2021-31542

- https://www.cve.org/CVERecord?id=CVE-2021-32052

- https://www.cve.org/CVERecord?id=CVE-2021-33203

- https://www.cve.org/CVERecord?id=CVE-2021-33571

- https://www.cve.org/CVERecord?id=CVE-2021-35042

Resolution

SRPMS

- 8/core/python-django-3.1.13-1.mga8

Publication date: 16 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0356.html
Type: security
CVE: CVE-2021-28658, CVE-2021-31542, CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-35042

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.