From 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Wed, 14 Apr 2021 18:23:44 +0200 Subject: Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. --- docs/releases/2.2.21.txt | 17 +++++++++++++++++ docs/releases/3.1.9.txt | 17 +++++++++++++++++ docs/releases/3.2.1.txt | 14 ++++++++++++-- docs/releases/index.txt | 2 ++ 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 docs/releases/2.2.21.txt create mode 100644 docs/releases/3.1.9.txt (limited to 'docs') diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt new file mode 100644 index 0000000000..f32aeadff7 --- /dev/null +++ b/docs/releases/2.2.21.txt @@ -0,0 +1,17 @@ +=========================== +Django 2.2.21 release notes +=========================== + +*May 4, 2021* + +Django 2.2.21 fixes a security issue in 2.2.20. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.1.9.txt b/docs/releases/3.1.9.txt new file mode 100644 index 0000000000..682270b901 --- /dev/null +++ b/docs/releases/3.1.9.txt @@ -0,0 +1,17 @@ +========================== +Django 3.1.9 release notes +========================== + +*May 4, 2021* + +Django 3.1.9 fixes a security issue in 3.1.8. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt index 545c9adce3..97ac4ebc94 100644 --- a/docs/releases/3.2.1.txt +++ b/docs/releases/3.2.1.txt @@ -2,9 +2,19 @@ Django 3.2.1 release notes ========================== -*Expected May 4, 2021* +*May 4, 2021* -Django 3.2.1 fixes several bugs in 3.2. +Django 3.2.1 fixes a security issue and several bugs in 3.2. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 0249642d87..6421478c9c 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.1.9 3.1.8 3.1.7 3.1.6 @@ -76,6 +77,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.21 2.2.20 2.2.19 2.2.18 -- cgit v1.3