USN-4975-1: Django vulnerabilities

Releases

• Ubuntu 21.04
• Ubuntu 20.10
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• python-django - High-level Python web development framework

Details

It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)

Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)

It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wide variety of attacks, including bypassing certain access restrictions.
(CVE-2021-33571)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.04

• python3-django - 2:2.2.20-1ubuntu0.2

Ubuntu 20.10

• python3-django - 2:2.2.16-1ubuntu0.5

Ubuntu 20.04

• python3-django - 2:2.2.12-1ubuntu0.7

Ubuntu 18.04

• python3-django - 1:1.11.11-1ubuntu1.14
• python-django - 1:1.11.11-1ubuntu1.14

In general, a standard system update will make all the necessary changes.

References

• CVE-2021-32052
• CVE-2021-33571
• CVE-2021-33203

Related notices

• USN-5373-1: python-django, python-django-doc, python-django-common, python3-django
• USN-5373-2: python-django, python-django-doc, python-django-common, python3-django
• USN-4975-2: python-django, python-django-doc, python-django-common, python3-django