Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi Sébastien, > They look fine, please upload to security-master. Done. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
On 15/06 10:49, Chris Lamb wrote: > > The full debdiffs are attached. Can you especially check the > > versioning scheme and distribution fields for me? I often get this > > wrong and end up confusing myself. Really appreciated. > > They are now attached. They look fine, please upload to security-master. Cheers, -- Seb
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb wrote: > The full debdiffs are attached. Can you especially check the > versioning scheme and distribution fields for me? I often get this > wrong and end up confusing myself. Really appreciated. They are now attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-diff --git a/debian/changelog b/debian/changelog index a84d1b261..f18eaf3ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high + + * CVE-2020-13254: Potential a data leakage via malformed memcached keys. + +In cases where a memcached backend does not perform key validation, passing +malformed cache keys could result in a key collision, and potential data +leakage. In order to avoid this vulnerability, key validation is added to +the memcached cache backends. + + * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. + +Query parameters to the admin ForeignKeyRawIdWidget were not properly URL +encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures +query parameters are correctly URL encoded. + + -- Chris Lamb Sat, 13 Jun 2020 15:47:14 +0100 + python-django (1:1.10.7-2+deb9u8) stretch-security; urgency=high * CVE-2020-7471: Prevent a Potential SQL injection via StringAgg(delimiter). diff --git a/debian/patches/0027-CVE-2020-13254.patch b/debian/patches/0027-CVE-2020-13254.patch new file mode 100644 index 0..e2e03f982 --- /dev/null +++ b/debian/patches/0027-CVE-2020-13254.patch @@ -0,0 +1,177 @@ +From: Chris Lamb +Date: Sat, 13 Jun 2020 15:31:18 +0100 +Subject: CVE-2020-13254 + +--- + django/core/cache/__init__.py | 4 ++-- + django/core/cache/backends/base.py | 33 + + django/core/cache/backends/memcached.py | 24 ++-- + 3 files changed, 45 insertions(+), 16 deletions(-) + +diff --git a/django/core/cache/__init__.py b/django/core/cache/__init__.py +index 26897ff..dc377a9 100644 +--- a/django/core/cache/__init__.py b/django/core/cache/__init__.py +@@ -17,13 +17,13 @@ from threading import local + from django.conf import settings + from django.core import signals + from django.core.cache.backends.base import ( +-BaseCache, CacheKeyWarning, InvalidCacheBackendError, ++BaseCache, CacheKeyWarning, InvalidCacheBackendError, InvalidCacheKey, + ) + from django.utils.module_loading import import_string + + __all__ = [ + 'cache', 'DEFAULT_CACHE_ALIAS', 'InvalidCacheBackendError', +-'CacheKeyWarning', 'BaseCache', ++'CacheKeyWarning', 'BaseCache', 'InvalidCacheKey', + ] + + DEFAULT_CACHE_ALIAS = 'default' +diff --git a/django/core/cache/backends/base.py b/django/core/cache/backends/base.py +index a07a34e..688ffb8 100644 +--- a/django/core/cache/backends/base.py b/django/core/cache/backends/base.py +@@ -24,6 +24,10 @@ DEFAULT_TIMEOUT = object() + MEMCACHE_MAX_KEY_LENGTH = 250 + + ++class InvalidCacheKey(ValueError): ++pass ++ ++ + def default_key_func(key, key_prefix, version): + """ + Default function to generate keys. +@@ -233,18 +237,8 @@ class BaseCache(object): + backend. This encourages (but does not force) writing backend-portable + cache code. + """ +-if len(key) > MEMCACHE_MAX_KEY_LENGTH: +-warnings.warn( +-'Cache key will cause errors if used with memcached: %r ' +-'(longer than %s)' % (key, MEMCACHE_MAX_KEY_LENGTH), CacheKeyWarning +-) +-for char in key: +-if ord(char) < 33 or ord(char) == 127: +-warnings.warn( +-'Cache key contains characters that will cause errors if ' +-'used with memcached: %r' % key, CacheKeyWarning +-) +-break ++for warning in memcache_key_warnings(key): ++warnings.warn(warning, CacheKeyWarning) + + def incr_version(self, key, delta=1, version=None): + """Adds delta to the cache version for the supplied key. Returns the +@@ -270,3 +264,18 @@ class BaseCache(object): + def close(self, **kwargs): + """Close the cache connection""" + pass ++ ++ ++def memcache_key_warnings(key): ++if len(key) > MEMCACHE_MAX_KEY_LENGTH: ++yield ( ++'Cache key will cause errors if used with memcached: %r ' ++'(longer than %s)' % (key, MEMCACHE_MAX_KEY_LENGTH) ++) ++for char in key: ++if ord(char) < 33 or ord(char) == 127: ++yield ( ++'Cache key contains characters that will cause errors if ' ++'used with memcached: %r' % key, ++) ++break +diff --git a/django/core/cache/backends/memcached.py b/django/core/cache/backends/memcached.py +index ee6b3b7..80395e6 100644 +--- a/django/core/cache/backends/memcached.py b/django/core/cache
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb wrote: > I will wait a few days to see what upstream says. I will also have to > re-release for jessie LTS, alas. Okay, this is now fixed in the following versions (without and with the regression fix): DistributionUpload with regressionUpload with regression fixed jessie 1.7.11-1+deb8u9 1.7.11-1+deb8u10 stretch n/a 1:1.10.7-2+deb9u9 (pending) buster n/a 1:1.11.29-1~deb10u1 (pending) unstable2:2.2.13-12:2.2.13-2 experimental2:3.0.7-1 2:3.0.7-2 The two pending uploads (ie. needing your approval) to upload are: python-django (1:1.10.7-2+deb9u9) stretch-security; urgency=high * CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. * CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb Sat, 13 Jun 2020 15:47:14 +0100 and python-django (1:1.11.29-1~deb10u1) buster-security; urgency=high * New upstream security release (postponed from March 2020): - CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Note that Django 1.11.x left upstream's extended security support on April 1st 2020. For more information, please see: https://www.djangoproject.com/download/ * This upload also fixes the following security issues: - CVE-2020-13254: Potential a data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. - CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded. -- Chris Lamb Sun, 14 Jun 2020 12:15:26 +0100 The full debdiffs are attached. Can you especially check the versioning scheme and distribution fields for me? I often get this wrong and end up confusing myself. Really appreciated. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi Sébastien, > > Security team, would you like an update for stretch and/or buster to > > address these issues? It's fixed in sid, experimental as well as > > jessie LTS. Bullseye is just pending migration time AFAICT. […] > yes, that'd be fine. Is there any chance you could also piggyback the > fix for CVE-2020-9402 (marked "postponed") on top of the ones for > CVE-2020-13254 and CVE-2020-13596? Sure. For buster, I recommend we take the latest security upstream stable release to fix CVE-2020-9402, but for stretch we will need to backport all three. However, I just independently discovered a regression in the latest change for CVE-2020-13254: https://code.djangoproject.com/ticket/31654#comment:14 I will wait a few days to see what upstream says. I will also have to re-release for jessie LTS, alas. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
On 06/06 10:15, Chris Lamb wrote: > > python-django: CVE-2020-13254 CVE-2020-13596 > > Security team, would you like an update for stretch and/or buster to > address these issues? It's fixed in sid, experimental as well as > jessie LTS. Bullseye is just pending migration time AFAICT. Hi Chris, yes, that'd be fine. Is there any chance you could also piggyback the fix for CVE-2020-9402 (marked "postponed") on top of the ones for CVE-2020-13254 and CVE-2020-13596? Cheers, -- Seb
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Hi, > python-django: CVE-2020-13254 CVE-2020-13596 Security team, would you like an update for stretch and/or buster to address these issues? It's fixed in sid, experimental as well as jessie LTS. Bullseye is just pending migration time AFAICT. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Package: python-django Version: 1.7.11-1+deb8u3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2020-13254[0]: | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before | 3.0.7. In cases where a memcached backend does not perform key | validation, passing malformed cache keys could result in a key | collision, and potential data leakage. CVE-2020-13596[1]: | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before | 3.0.7. Query parameters generated by the Django admin | ForeignKeyRawIdWidget were not properly URL encoded, leading to a | possibility of an XSS attack. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13254 [1] https://security-tracker.debian.org/tracker/CVE-2020-13596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13596 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-