Ubuntu Security Notice 4975-1 - It was discovered that the Django URLValidator function incorrectly handled newlines and tabs. A remote attacker could possibly use this issue to perform a header injection attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django incorrectly handled path sanitation in admindocs. A remote attacker could possibly use this issue to determine the existence of arbitrary files and in certain configurations obtain their contents. Various other issues were also addressed.
23dda5ba935125c5afba517c657a63caaeaad0e6c1d85a6b3a1006d40d42023b
==========================================================================
Ubuntu Security Notice USN-4975-1
June 02, 2021
python-django vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wide variety of attacks, including bypassing certain access restrictions.
(CVE-2021-33571)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
python3-django 2:2.2.20-1ubuntu0.2
Ubuntu 20.10:
python3-django 2:2.2.16-1ubuntu0.5
Ubuntu 20.04 LTS:
python3-django 2:2.2.12-1ubuntu0.7
Ubuntu 18.04 LTS:
python-django 1:1.11.11-1ubuntu1.14
python3-django 1:1.11.11-1ubuntu1.14
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4975-1
CVE-2021-32052, CVE-2021-33203, CVE-2021-33571
Package Information:
https://launchpad.net/ubuntu/+source/python-django/2:2.2.20-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-django/2:2.2.16-1ubuntu0.5
https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.7
https://launchpad.net/ubuntu/+source/python-django/1:1.11.11-1ubuntu1.14