[ubuntu/hirsute-security] python-django 2:2.2.20-1ubuntu0.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed Jun 2 10:40:11 UTC 2021


python-django (2:2.2.20-1ubuntu0.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
    - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
      being accepted in URLValidator in django/core/validators.py,
      tests/validators/tests.py.
    - CVE-2021-32052
  * SECURITY UPDATE: potential directory traversal via admindocs
    - debian/patches/CVE-2021-33203.patch: use safe_join in
      django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
    - CVE-2021-33203
  * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
    since validators accepted leading zeros in IPv4 addresses
    - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
      addresses in django/core/validators.py,
      tests/validators/invalid_urls.txt, tests/validators/tests.py,
      tests/validators/valid_urls.txt.
    - CVE-2021-33571

Date: 2021-05-26 14:28:09.498300+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/python-django/2:2.2.20-1ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Hirsute-changes mailing list