oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Django: CVE-2021-3281: Potential directory-traversal via archive.extract()

From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Mon, 1 Feb 2021 10:44:09 +0100
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing 
`Django 3.1.6 <https://docs.djangoproject.com/en/dev/releases/3.1.6/>`_,
`Django 3.0.12 <https://docs.djangoproject.com/en/dev/releases/3.0.12/>`_ and 
`Django 2.2.18 <https://docs.djangoproject.com/en/dev/releases/2.2.18/>`_.
These releases address the security issue with severity "low" detailed below. We encourage all users of Django to upgrade as soon as possible. 

CVE-2021-3281: Potential directory-traversal via ``archive.extract()``
======================================================================

The ``django.utils.archive.extract()`` function, used by
``startapp --template`` and ``startproject --template``, allowed
directory-traversal via an archive with absolute paths or relative paths with 
dot segments.

Thank you to Wang Baohua for the report.

Affected supported versions
===========================

* Django master branch
* Django 3.2 (currently at alpha status)
* Django 3.1
* Django 3.0
* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch and
the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:
* On the `master branch <https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23>`__ * On the `3.2 release branch <https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed>`__ * On the `3.1 release branch <https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624>`__ * On the `3.0 release branch <https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a>`__ * On the `2.2 release branch <https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37>`__ 

The following releases have been issued:
* Django 3.1.6 (`download Django 3.1.6 <https://www.djangoproject.com/m/releases/3.1/Django-3.1.6.tar.gz>`_ | `3.1.6 checksums <https://www.djangoproject.com/m/pgp/Django-3.1.6.checksum.txt>`_) * Django 3.0.12 (`download Django 3.0.12 <https://www.djangoproject.com/m/releases/3.0/Django-3.0.12.tar.gz>`_ | `3.0.12 checksums <https://www.djangoproject.com/m/pgp/Django-3.0.12.checksum.txt>`_) * Django 2.2.18 (`download Django 2.2.18 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.18.tar.gz>`_ | `2.2.18 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.18.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_. 

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
Previous By Date Next
Previous By Thread Next

Current thread: