Debian 10218 Published by

A python-django security update has been released for Debian GNU/Linux 8 Extended LTS to address a potential directory-traversal vulnerability.



ELA-421-1 python-django security update

Package python-django
Version 1.7.11-1+deb8u13
Related CVEs CVE-2021-31542

It was discovered that there was potential directory-traversal vulnerability in Django, a popular Python-based web development framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments are rejected.

For Debian 8 Jessie, these problems have been fixed in version 1.7.11-1+deb8u13.

We recommend that you upgrade your python-django packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-421-1 python-django security update