Debian alert DLA-2651-1 (python-django)

From:
             
 
Chris Lamb <lamby@debian.org>
To:
             
 
debian-lts-announce@lists.debian.org
Subject:
             
 
[SECURITY] [DLA 2651-1] python-django security update
Date:
             
 
Thu, 06 May 2021 10:26:03 +0100
Message-ID:
             
 
 <162029288259.613693.7912587258253258757@tinycat.chris-lamb.co.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2651-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
May 06, 2021                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 1:1.10.7-2+deb9u13
CVE ID         : CVE-2021-31542
Debian Bug     : #988053

It was discovered that there was potential directory-traversal
vulnerability in Django, a popular Python-based web development
framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed
directory-traversal via uploaded files with suitably crafted file
names. In order to mitigate this risk, stricter basename and path
sanitation is now applied. Specifically, empty file names and paths
with dot segments are rejected.

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmCTtQ0ACgkQHpU+J9Qx
Hlh0Wg/8DGkgyGOP8oeIWwy7uU3+HycLgB9Z1KvQ3B05H3Bj4sgWBsU3jJ7r9raI
VbC/A3S5aauL3AfjMK4Akd4pkMYhDMBhRCioHrPqMf9dpJvQzKZMU+MhDBlGoPks
UzlZv6uAbgafasXKIY2jdTbOwbjz5F6+prP4+CoYhkibkyY/R8MnpDKZgnE7i1oS
GS5E4qvCyaP2bqoXPEN8uwbV/ZTBYZ45TRTOzTfOXjevjFJBHch7dCwYVyxRaClG
X3Me1cC2lFE2N8FcZZgv5MPysAl83PFbc5sTKntnGKcZSN83Th0iSkwOFpD2sMDE
jZeEGhuZBkPZmZkKsBtIWYe91ZgWqQzifdjWA0hPJ8ZXTsA11mkCGCJRsw9swxrz
rjf+EN7OwKUc627oyEupegTSLd0VQ/n5pE7m27cCMBWrO5CU96/65AJwGWjmd3ZH
jTNa0Mz5npxSfTooDv7PoWiMBCgPqvhdj/UC3cyPAwhFaAfzFy9rnCrg7l+wY3QP
JS9RfylAOs9Vr9Dwdh+GDkIl6NnjLdZ9mqmvImZb2MRXZOtKEVQSCskMwT5Zu5Iu
a0OWC+QUhvEi6LVm+CgWnDSC/eSrYwepJQoGDbp9wKAMQnesg1TnvhxX87GqjE6a
t9zSsOgJtnBaPvKNEB4Yi3TmyIiTE6Eccc46hgU+VP+NfwlJdw8=
=2YmT
-----END PGP SIGNATURE-----