Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-3164-1:A25EA
HistoryOct 28, 2022 - 5:28 p.m.

[SECURITY] [DLA 3164-1] python-django security update

2022-10-2817:28:30
lists.debian.org
24
JSON

Debian LTS Advisory DLA-3164-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
October 28, 2022 https://wiki.debian.org/LTS

Package : python-django
Version : 1:1.11.29-1+deb10u2
CVE IDs : CVE-2020-24583 CVE-2020-24584 CVE-2021-3281
CVE-2021-23336 CVE-2022-34265
Debian Bugs : 969367 981562 983090 1014541

Multiple vulnerabilities were discovered in Django, a popular
Python-based web development framework:

  • CVE-2020-24583: Fix incorrect permissions on intermediate-level
    directories on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode
    was not applied to intermediate-level directories created in the
    process of uploading files and to intermediate-level collected
    static directories when using the collectstatic management
    command. You should review and manually fix permissions on
    existing intermediate-level directories.

  • CVE-2020-24584: Correct permission escalation vulnerability in
    intermediate-level directories of the file system cache. On Python
    3.7 and above, the intermediate-level directories of the file
    system cache had the system's standard umask rather than 0o077 (no
    group or others permissions).

  • CVE-2021-3281: Fix a potential directory-traversal exploit via
    archive.extract(). The django.utils.archive.extract() function,
    used by startapp --template and startproject --template, allowed
    directory traversal via an archive with absolute paths or relative
    paths with dot segments.

  • CVE-2021-23336: Prevent a web cache poisoning attack via "parameter
    cloaking". Django contains a copy of urllib.parse.parse_qsl()
    which was added to backport some security fixes. A further
    security fix has been issued recently such that parse_qsl() no
    longer allows using ";" as a query parameter separator by default.

  • CVE-2022-34265: The Trunc() and Extract() database functions were
    subject to a potential SQL injection attach if untrusted data was
    used as a value for the "kind" or "lookup_name" parameters.
    Applications that constrain the choice to a known safe list were
    unaffected.

For Debian 10 buster, these problems have been fixed in version
1:1.11.29-1+deb10u2.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Related

nessus 32
openvas 44
osv 28
fedora 21
archlinux 3
freebsd 2
ubuntu 5
altlinux 5
ubuntucve 5
cve 5
github 4
veracode 5
alpinelinux 5
debiancve 5
githubexploit 6
redhatcve 5
prion 5
jvn 1
redhat 1
mageia 3
debian 2
suse 1
cbl_mariner 3
photon 2
sonarsource 1
nessus
nessus
Debian DLA-3164-1 : python-django - LTS security update
2022-10-28 00:00:00
Fedora 31 : python-django (2020-6941c0a65b)
2020-09-14 00:00:00
Ubuntu 20.04 LTS : Django vulnerabilities (USN-4479-1)
2020-09-02 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3164-1)
2022-10-30 00:00:00
Ubuntu: Security Advisory (USN-4479-1)
2020-09-02 00:00:00
Fedora: Security Advisory for python-django (FEDORA-2020-94407454d7)
2020-09-13 00:00:00
osv
osv
python-django - security update
2022-10-27 00:00:00
PYSEC-2020-34
2020-09-01 13:15:00
Django Incorrect Default Permissions
2021-03-18 20:30:01
fedora
fedora
[SECURITY] Fedora 31 Update: python-django-2.2.16-1.fc31
2020-09-12 16:37:34
[SECURITY] Fedora 33 Update: python-django-3.0.10-3.fc33
2020-09-25 17:14:42
[SECURITY] Fedora 32 Update: python-django-3.0.10-3.fc32
2020-09-12 16:34:37
archlinux
archlinux
[ASA-202009-4] python-django: multiple issues
2020-09-03 00:00:00
[ASA-202102-18] python-django: directory traversal
2021-02-07 00:00:00
[ASA-202102-28] python-django: url request injection
2021-02-20 00:00:00
freebsd
freebsd
Django -- multiple vulnerabilities
2020-09-01 00:00:00
Django -- multiple vulnerabilities
2022-06-21 00:00:00
ubuntu
ubuntu
Django vulnerabilities
2020-09-01 00:00:00
Django vulnerability
2022-07-04 00:00:00
Django vulnerability
2021-02-01 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package python3-module-django version 2.2.19-alt1
2021-04-12 00:00:00
Security fix for the ALT Linux 10 package python3-module-django version 2.2.19-alt1
2021-02-24 00:00:00
Security fix for the ALT Linux 9 package python3-module-django version 2.2.17-alt1
2020-12-11 00:00:00
ubuntucve
ubuntucve
CVE-2020-24583
2020-09-01 00:00:00
CVE-2020-24584
2020-09-01 00:00:00
CVE-2022-34265
2022-07-04 00:00:00
cve
cve
CVE-2020-24584
2020-09-01 13:15:00
CVE-2020-24583
2020-09-01 13:15:00
CVE-2022-34265
2022-07-04 16:15:00
github
github
Django Incorrect Default Permissions
2021-03-18 20:30:01
Django Incorrect Default Permissions
2021-03-18 20:30:13
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
2022-07-05 00:00:53
veracode
veracode
Privilege Escalation
2020-09-02 05:49:52
Authorization Bypass
2020-09-02 03:58:03
SQL Injection
2022-07-05 04:15:37
alpinelinux
alpinelinux
CVE-2020-24584
2020-09-01 13:15:00
CVE-2022-34265
2022-07-04 16:15:00
CVE-2020-24583
2020-09-01 13:15:00
debiancve
debiancve
CVE-2020-24584
2020-09-01 13:15:00
CVE-2020-24583
2020-09-01 13:15:00
CVE-2022-34265
2022-07-04 16:15:00
githubexploit
githubexploit
Exploit for SQL Injection in Djangoproject Django
2022-08-24 07:29:30
Exploit for SQL Injection in Djangoproject Django
2022-07-13 13:02:41
Exploit for SQL Injection in Djangoproject Django
2022-09-08 21:22:28
redhatcve
redhatcve
CVE-2020-24583
2020-09-01 13:48:54
CVE-2020-24584
2020-09-01 13:48:55
CVE-2022-34265
2022-07-04 14:36:30
prion
prion
Design/Logic Flaw
2020-09-01 13:15:00
Command injection
2020-09-01 13:15:00
Sql injection
2022-07-04 16:15:00
jvn
jvn
JVN#12610194: Django Extract and Trunc functions vulnerable to SQL injection
2022-07-12 00:00:00
redhat
redhat
(RHSA-2022:5738) Important: Django 3.2.14 Security Update
2022-07-27 14:32:20
mageia
mageia
Updated python and python3 packages fix security vulnerability
2021-04-02 13:16:21
Updated python-django package fixes a security vulnerability
2021-03-15 00:20:42
Updated python-django packages fix security vulnerability
2022-08-13 05:32:35
debian
debian
[SECURITY] [DLA 2569-1] python-django security update
2021-02-19 16:24:07
[SECURITY] [DLA 2540-1] python-django security update
2021-02-01 18:37:39
suse
suse
Security update for python (moderate)
2021-03-17 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-23336 affecting package python3 3.7.9-4
2021-07-08 21:56:42
CVE-2021-23336 affecting package python2 2.7.18-8
2022-04-09 06:51:57
CVE-2021-23336 affecting package python2 2.7.18-14
2021-04-06 23:50:12
photon
photon
Important Photon OS Security Update - PHSA-2021-0204
2021-03-05 00:00:00
Moderate Photon OS Security Update - PHSA-2021-3.0-0204
2021-03-05 00:00:00
sonarsource
sonarsource
10 Unknown Security Pitfalls for Python
2021-11-16 00:00:00
JSON
Related for DEBIAN:DLA-3164-1:A25EA
nessus32openvas44osv28fedora21archlinux3freebsd2ubuntu5altlinux5ubuntucve5cve5github4veracode5alpinelinux5debiancve5githubexploit6redhatcve5prion5jvn1redhat1mageia3debian2suse1cbl_mariner3photon2sonarsource1