{"id":"MGASA-2021-0356","summary":"Updated python-django package fixes security vulnerabilities","details":"In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,\nMultiPartParser allowed directory traversal via uploaded files with suitably\ncrafted file names. Built-in upload handlers were not affected by this\nvulnerability (CVE-2021-28658).\n\nIn Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1,\nMultiPartParser, UploadedFile, and FieldFile allowed directory traversal via\nuploaded files with suitably crafted file names (CVE-2021-31542).\n\nIn Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with\nPython 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the\nURLField form field is used). If an application uses values with newlines in\nan HTTP response, header injection can occur. Django itself is unaffected\nbecause HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).\n\nDjango before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential\ndirectory traversal via django.contrib.admindocs. Staff members could use the\nTemplateDetailView view to check the existence of arbitrary files.\nAdditionally, if (and only if) the default admindocs templates have been\ncustomized by application developers to also show file contents, then not only\nthe existence but also the file contents would have been exposed. In other\nwords, there is directory traversal outside of the template root directories\n(CVE-2021-33203).\n\nIn Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4,\nURLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit\nleading zero characters in octal literals. This may allow a bypass of access\ncontrol that is based on IP addresses. (validate_ipv4_address and\nvalidate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571).\n\nDjango 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by\nSQL injection if order_by is untrusted input from a client of a web application\n(CVE-2021-35042).\n\npython-django package is updated to 3.1.13 version to fix these security\nissues among other upstream bugfixes, see upstream release notes.\n","modified":"2026-04-16T00:10:04.512873451Z","published":"2021-07-16T08:25:31Z","upstream":["CVE-2021-28658","CVE-2021-31542","CVE-2021-32052","CVE-2021-33203","CVE-2021-33571","CVE-2021-35042"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0356.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28802"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2021/may/04/security-releases/"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2021/may/06/security-releases/"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2021/jul/01/security-releases/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.8/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.9/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.10/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.11/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.12/"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/3.1.13/"},{"type":"WEB","url":"https://www.debian.org/lts/security/2021/dla-2622"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4902-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4932-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4975-1"}],"affected":[{"package":{"name":"python-django","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-django?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.13-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0356.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}