Debian 10264 Published by

A python-django security update has been released for Debian GNU/Linux 9 LTS to address two issues.



DLA 2676-1: python-django security update



- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2676-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Chris Lamb
June 05, 2021   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 1:1.10.7-2+deb9u14
CVE IDs : CVE-2021-33203 CVE-2021-33571
Debian Bug : #989394

Two issues were discovered in Django, the Python-based web
development framework:

* CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to
check the existence of arbitrary files. Additionally, if (and only
if) the default admindocs templates have been customized by the
developers to also expose the file contents, then not only the
existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files
within the template root directories can be loaded.

This issue has low severity, according to the Django security
policy.

Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
the CodeQL Python team for the report.

* CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
since validators accepted leading zeros in IPv4 addresses

URLValidator, validate_ipv4_address(), and
validate_ipv46_address() didn't prohibit leading zeros in octal
literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators
were not affected on Python 3.9.5+.

This issue has medium severity, according to the Django security
policy.

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u14.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS