Bug#983526: buster-pu: package python-django/1:1.11.29-1+deb10u1

Fri, 26 Feb 2021 05:06:14 -0800 

Chris Lamb wrote:

> Please find an updated patch attached, which also adopts your
> suggested version number:

The patch I *just* sent contained a binary portion which (judging by
the large number of bounces I just received!) will not have reached
many of the intended recipients. Therefore, please see:

   https://bugs.debian.org/983526#15

… for the original version of the message and the attachment. For
easy reference, however, the changelog entry is:

  Source: python-django
  Version: 1:1.11.29-1~deb10u2
  Distribution: buster
  Urgency: medium
  Maintainer: Chris Lamb <la...@debian.org>
  Timestamp: 1614334069
  Date: Fri, 26 Feb 2021 10:07:49 +0000
  Closes: 969367 981562 983090
  Changes:
   python-django (1:1.11.29-1~deb10u2) buster; urgency=medium
   .
     * CVE-2020-24583: Fix incorrect permissions on intermediate-level 
directories
       on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
       intermediate-level directories created in the process of uploading files
       and to intermediate-level collected static directories when using the
       collectstatic management command. You should review and manually fix
       permissions on existing intermediate-level directories. (Closes: #969367)
   .
     * CVE-2020-24584: Correct permission escalation vulnerability in
       intermediate-level directories of the file system cache. On Python 3.7 
and
       above, the intermediate-level directories of the file system cache had 
the
       system's standard umask rather than 0o077 (no group or others 
permissions).
       (Closes: #969367)
   .
     * CVE-2021-3281: Fix a potential directory-traversal exploit via
       archive.extract(). The django.utils.archive.extract() function, used by
       startapp --template and startproject --template, allowed directory
       traversal via an archive with absolute paths or relative paths with dot
       segments. (Closes: #981562)
   .
     * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
       cloaking". Django contains a copy of urllib.parse.parse_qsl() which was
       added to backport some security fixes. A further security fix has been
       issued recently such that parse_qsl() no longer allows using ";" as a 
query
       parameter separator by default. (Closes: #983090)


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org 🍥 chris-lamb.co.uk
       `-

Reply via email to