-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2676-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb June 05, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python-django Version : 1:1.10.7-2+deb9u14 CVE IDs : CVE-2021-33203 CVE-2021-33571 Debian Bug : #989394 Two issues were discovered in Django, the Python-based web development framework: * CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. This issue has low severity, according to the Django security policy. Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. * CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. This issue has medium severity, according to the Django security policy. For Debian 9 "Stretch", this problem has been fixed in version 1:1.10.7-2+deb9u14. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC7SrkACgkQHpU+J9Qx HlhfOxAAmBjCvWfUXv60dy2++hoDImfYP2jr5fhx965OAaHZj1B64pxwN8Le8gZR ivEc/GpPsexkiLxyGKGzswcb/qJeRTHeu0hurpuXN2ICg2ZE8p1II3WzGaURip5I JbOkOJ4tZdL6/KauNRAuRJpjA56yfdAl1kgavTB9KWD+f1FtuMLT88S/xPtnVBRc nNUYv5oqkcDwfY+KfyegemEYYsyqhUbd0+g5yhjiJyCz+nI2woumfJTsS1E4Xvof hvyOx2p4GVK2FKP4+gA/9DgGlZzZfe+7xKu+aw7iINEFidakl6kvAri7r2ew0KS2 drBn7qj5mEIbr+QbjdOWemwFy2nJpQvSmYGS86srSil2znObrJnBtNrhae3vyEqI 3QyQDlFanyNHPuf+7y8MntDBnXm1S09sEL0CGe8dn5IPpqTXfqRpfRDN1In3eKkj BZ5P1rgVBKXlHDj2vF5SJdo6VXcMFMF1Sm8hfkbZ+JBbeXA7e8pv+0Chndd85VL1 UgNpy7DZtIQyEUTfqZbBf2yAjoxs/rUZ5eZZTg+nSLwimqhP+Vff4f6wagS+zCC6 hRbdlhAbVrRlVZa0Yqa7BY4UnIthq/5cjC1AR0KIwxHTOoR3p5g1UHFsv8+Nyx6v FG8mbsMwqWaZX0J8hZ8JsXH5ZjhCw122G8mauEKi9BZSNFVeDXw= =3FDW -----END PGP SIGNATURE-----