Publishing details

• Removed from disk on 2021-12-08.
• Removal requested on 2021-12-08.
• Superseded on 2021-12-07 by python-django - 2:2.2.20-1ubuntu0.3
• Published on 2021-06-02
• Copied from ubuntu hirsute in Private PPA for Ubuntu Security Team by Marc Deslauriers

Changelog

python-django (2:2.2.20-1ubuntu0.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
    - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
      being accepted in URLValidator in django/core/validators.py,
      tests/validators/tests.py.
    - CVE-2021-32052
  * SECURITY UPDATE: potential directory traversal via admindocs
    - debian/patches/CVE-2021-33203.patch: use safe_join in
      django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
    - CVE-2021-33203
  * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
    since validators accepted leading zeros in IPv4 addresses
    - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
      addresses in django/core/validators.py,
      tests/validators/invalid_urls.txt, tests/validators/tests.py,
      tests/validators/valid_urls.txt.
    - CVE-2021-33571

 -- Marc Deslauriers <email address hidden>  Wed, 26 May 2021 08:52:14 -0400

Builds

• amd64

Package files

• python-django-doc_2.2.20-1ubuntu0.2_all.deb (3.0 MiB)
• python-django_2.2.20-1ubuntu0.2.debian.tar.xz (33.1 KiB)
• python-django_2.2.20-1ubuntu0.2.dsc (2.8 KiB)
• python-django_2.2.20.orig.tar.gz (8.8 MiB)
• python3-django_2.2.20-1ubuntu0.2_all.deb (2.5 MiB)