Control: tag -1 moreinfo On Thu, Feb 25, 2021 at 04:42:55PM +0000, Chris Lamb wrote: > Please consider python-django (1:1.11.29-1+deb10u1) for buster: > > python-django (1:1.11.29-1+deb10u1) buster; urgency=high > . > * CVE-2021-23336: Prevent a web cache poisoning attack via "parameter > cloaking". Django contains a copy of urllib.parse.parse_qsl() which was > added to backport some security fixes. A further security fix has been > issued recently such that parse_qsl() no longer allows using ";" as a > query parameter separator by default. (Closes: #983090) > . > For more information, please see: > . > https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ > Hi Chris,
I'm not convinced the regression risk here, of changing the longstanding behaviour, is worth it. People using a caching reverse proxy with a different config wrt query strings can just as well fix the issue on that end. Cheers, Julien
