[ubuntu-cloud-archive/ussuri-proposed] python-django (Accepted)

[Corey Bryant]

 python-django (2:2.2.12-1ubuntu0.7~cloud0) bionic-ussuri; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-django (2:2.2.12-1ubuntu0.7) focal-security; urgency=medium
 .
   * SECURITY UPDATE: header injection in URLValidator with Python 3.9.5+
     - debian/patches/CVE-2021-32052.patch: prevent newlines and tabs from
       being accepted in URLValidator in django/core/validators.py,
       tests/validators/tests.py.
     - CVE-2021-32052
   * SECURITY UPDATE: potential directory traversal via admindocs
     - debian/patches/CVE-2021-33203.patch: use safe_join in
       django/contrib/admindocs/views.py, tests/admin_docs/test_views.py.
     - CVE-2021-33203
   * SECURITY UPDATE: possible indeterminate SSRF, RFI, and LFI attacks
     since validators accepted leading zeros in IPv4 addresses
     - debian/patches/CVE-2021-33571.patch: prevent leading zeros in IPv4
       addresses in django/core/validators.py,
       tests/validators/invalid_urls.txt, tests/validators/tests.py,
       tests/validators/valid_urls.txt.
     - CVE-2021-33571

Date: Wed, 02 Jun 2021 11:39:10 +0000
Changed-By: Openstack Ubuntu Testing Bot <openstack-testing-bot at ubuntu.com>
Signed-By: Openstack Ubuntu Testing Bot
Published-By: Corey Bryant <corey.bryant at canonical.com>