-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 02 Jun 2021 16:08:13 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.4-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 989394 Changes: python-django (2:3.2.4-1) experimental; urgency=medium . * New upstream security release. (Closes: #989394) . - CVE-2021-33203: Potential directory traversal via admindocs . Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. . As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. . This issue has low severity, according to the Django security policy. . Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report. . - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses . URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. . validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. . This issue has medium severity, according to the Django security policy. . * Bump Standards-Version to 4.5.1. Checksums-Sha1: 4ee1eed1a0e6fedf485170c4ebaa6f05d3bc69a6 2779 python-django_3.2.4-1.dsc 7b0875627bfd044cbfd3c9dc4b87c653a3cbe2dc 9824343 python-django_3.2.4.orig.tar.gz f27a1a167c94f01a9091d686acb87261b45cf5b4 27032 python-django_3.2.4-1.debian.tar.xz 78698ba6396279c6d28add969aa37f805a31b571 7554 python-django_3.2.4-1_amd64.buildinfo Checksums-Sha256: c045b9445260288da3d6f7277c021e7bb48c00a75cb7e99c847523b7a8d637e0 2779 python-django_3.2.4-1.dsc 66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296 9824343 python-django_3.2.4.orig.tar.gz db66b00bd8120de0d96702b9a7890d4705e9fddfc44cedddf3987d6ca45ff7c6 27032 python-django_3.2.4-1.debian.tar.xz 3df5a500a06c8134046c67998d042083a4c28a2e004e318c3009060b7918ef16 7554 python-django_3.2.4-1_amd64.buildinfo Files: 50510e7b32ffd8e048d5da8868000399 2779 python optional python-django_3.2.4-1.dsc 2f30db9154efb8c9ed891781d29fae2a 9824343 python optional python-django_3.2.4.orig.tar.gz 96a44ad690e88af965d761690de5f506 27032 python optional python-django_3.2.4-1.debian.tar.xz 440686c732564cd131064c3a67ef23d6 7554 python optional python-django_3.2.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmC3oAgACgkQHpU+J9Qx Hljl7A/+J4+TQSth0z57OKUhEKOw26Eg/waSzRcB/i/5e06DaGDGSdKz2AubYG0i PUKei4AuK3xkXVqCTO/QZLrCl3XlI3MNGFsyo8MP0kIm8VvyX1P0yfXfT1ckUNhu IysWW1GKF3Aj9FxuQf+ZlUwLB3OQL6ciToQL089I3BTxoXPWO3zNiuqHyCgKuuXk PcdhaucQwe/ujYU6DZidckpxkkFaq9/C3fLyINEU/lXxsJ58N51OjYKxEPiJ4r4m zXAKNc9ZTCgZGql3PVqF2Xqv/zcedOQsFWHnyPEwico6H825BOS39/kt2zBzo0ds EoXwj6wstPjD30qC7W3iE0VDa0XyD75ElfXW1t/XVyqq1oQrcLtsGek2H0QZhv4l q252jgVH0Z0glTGRDhgCvqMURrvf5mzJwRYMv3JKY+Rx1DJWNagFj/SrzxRc44SN 5z5Ui3NhAFwiDvlF64s+4nW7bKPiiVbb9asSXEVDqiXK0q2NjZ3xUhyTddWadCXm lDp0FVnHk2vTJR/XmPn1KBK4gN0+9xGvH3yOpz3Mkr6YUcJwHb30x9Sgroj6w/uu ZbmvtsoiALnRWXWNAfVRvZMPKisj9RxC1J6PzcA2YS7qbzHggQD5pry+smjCHSR1 cZ4Ml0HrvtwYb7TqSJn+KcKyGHYOGgZE4QOCr1D0KII4dbAxN80= =+Oi4 -----END PGP SIGNATURE-----