USN-4975-1: Django vulnerabilities
2 June 2021
Several security issues were fixed in Django.
Releases
Packages
- python-django - High-level Python web development framework
Details
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wide variety of attacks, including bypassing certain access restrictions.
(CVE-2021-33571)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04
Ubuntu 20.10
Ubuntu 20.04
Ubuntu 18.04
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5373-1: python-django-doc, python3-django, python-django-common, python-django
- USN-5373-2: python-django-doc, python3-django, python-django-common, python-django
- USN-4975-2: python-django-doc, python3-django, python-django-common, python-django