diff -Nru python-django-2.2.12/debian/changelog python-django-2.2.12/debian/changelog
--- python-django-2.2.12/debian/changelog	2020-08-25 13:58:36.000000000 +0000
+++ python-django-2.2.12/debian/changelog	2021-01-25 12:31:24.000000000 +0000
@@ -1,3 +1,12 @@
+python-django (2:2.2.12-1ubuntu0.3) focal-security; urgency=medium
+
+  * SECURITY UPDATE: Potential directory-traversal via archive.extract()
+    - debian/patches/CVE-2021-3281.patch: check for invalid paths in
+      django/utils/archive.py.
+    - CVE-2021-3281
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 25 Jan 2021 07:31:24 -0500
+
 python-django (2:2.2.12-1ubuntu0.2) focal-security; urgency=medium
 
   * SECURITY UPDATE: Incorrect permissions on intermediate-level
diff -Nru python-django-2.2.12/debian/patches/CVE-2021-3281.patch python-django-2.2.12/debian/patches/CVE-2021-3281.patch
--- python-django-2.2.12/debian/patches/CVE-2021-3281.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-django-2.2.12/debian/patches/CVE-2021-3281.patch	2021-01-25 12:31:19.000000000 +0000
@@ -0,0 +1,79 @@
+From 77aafbae422e69fd96fffde95ad4af71bd39ce27 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Fri, 22 Jan 2021 12:23:18 +0100
+Subject: [PATCH] [2.2.x] Fixed CVE-2021-3281 -- Fixed potential
+ directory-traversal via archive.extract().
+
+Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.
+
+Thanks Wang Baohua for the report.
+
+Backport of bb76e00d125821fcf887c6e0ca3fd081f61d6e5e from master.
+---
+ django/utils/archive.py                       |  17 +++++++++++---
+ docs/releases/2.2.18.txt                      |  15 +++++++++++++
+ docs/releases/index.txt                       |   1 +
+ tests/utils_tests/test_archive.py             |  21 ++++++++++++++++++
+ .../traversal_archives/traversal.tar          | Bin 0 -> 10240 bytes
+ .../traversal_archives/traversal_absolute.tar | Bin 0 -> 10240 bytes
+ .../traversal_archives/traversal_disk_win.tar | Bin 0 -> 10240 bytes
+ .../traversal_archives/traversal_disk_win.zip | Bin 0 -> 312 bytes
+ 8 files changed, 51 insertions(+), 3 deletions(-)
+ create mode 100644 docs/releases/2.2.18.txt
+ create mode 100644 tests/utils_tests/traversal_archives/traversal.tar
+ create mode 100644 tests/utils_tests/traversal_archives/traversal_absolute.tar
+ create mode 100644 tests/utils_tests/traversal_archives/traversal_disk_win.tar
+ create mode 100644 tests/utils_tests/traversal_archives/traversal_disk_win.zip
+
+diff --git a/django/utils/archive.py b/django/utils/archive.py
+index 5b9998f89c..f2f153a1fc 100644
+--- a/django/utils/archive.py
++++ b/django/utils/archive.py
+@@ -27,6 +27,8 @@ import stat
+ import tarfile
+ import zipfile
+ 
++from django.core.exceptions import SuspiciousOperation
++
+ 
+ class ArchiveException(Exception):
+     """
+@@ -133,6 +135,13 @@ class BaseArchive:
+                 return False
+         return True
+ 
++    def target_filename(self, to_path, name):
++        target_path = os.path.abspath(to_path)
++        filename = os.path.abspath(os.path.join(target_path, name))
++        if not filename.startswith(target_path):
++            raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
++        return filename
++
+     def extract(self):
+         raise NotImplementedError('subclasses of BaseArchive must provide an extract() method')
+ 
+@@ -155,7 +164,7 @@ class TarArchive(BaseArchive):
+             name = member.name
+             if leading:
+                 name = self.split_leading_dir(name)[1]
+-            filename = os.path.join(to_path, name)
++            filename = self.target_filename(to_path, name)
+             if member.isdir():
+                 if filename and not os.path.exists(filename):
+                     os.makedirs(filename)
+@@ -198,11 +207,13 @@ class ZipArchive(BaseArchive):
+             info = self._archive.getinfo(name)
+             if leading:
+                 name = self.split_leading_dir(name)[1]
+-            filename = os.path.join(to_path, name)
++            if not name:
++                continue
++            filename = self.target_filename(to_path, name)
+             dirname = os.path.dirname(filename)
+             if dirname and not os.path.exists(dirname):
+                 os.makedirs(dirname)
+-            if filename.endswith(('/', '\\')):
++            if name.endswith(('/', '\\')):
+                 # A directory
+                 if not os.path.exists(filename):
+                     os.makedirs(filename)
diff -Nru python-django-2.2.12/debian/patches/series python-django-2.2.12/debian/patches/series
--- python-django-2.2.12/debian/patches/series	2020-08-25 13:58:29.000000000 +0000
+++ python-django-2.2.12/debian/patches/series	2021-01-25 12:31:19.000000000 +0000
@@ -7,3 +7,4 @@
 CVE-2020-13596.patch
 CVE-2020-24583.patch
 CVE-2020-24584.patch
+CVE-2021-3281.patch