From 9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Mon, 24 May 2021 09:55:14 +0200 Subject: [3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses. validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384 --- docs/releases/2.2.24.txt | 13 +++++++++++++ docs/releases/3.1.12.txt | 13 +++++++++++++ docs/releases/3.2.4.txt | 13 +++++++++++++ 3 files changed, 39 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.2.24.txt b/docs/releases/2.2.24.txt index 9bcf7037c4..1064fc53a0 100644 --- a/docs/releases/2.2.24.txt +++ b/docs/releases/2.2.24.txt @@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. + +CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses +=========================================================================================================================== + +:class:`~django.core.validators.URLValidator`, +:func:`~django.core.validators.validate_ipv4_address`, and +:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading +zeros in octal literals. If you used such values you could suffer from +indeterminate SSRF, RFI, and LFI attacks. + +:func:`~django.core.validators.validate_ipv4_address` and +:func:`~django.core.validators.validate_ipv46_address` validators were not +affected on Python 3.9.5+. diff --git a/docs/releases/3.1.12.txt b/docs/releases/3.1.12.txt index 7d8ee8447e..0700f40849 100644 --- a/docs/releases/3.1.12.txt +++ b/docs/releases/3.1.12.txt @@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. + +CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses +=========================================================================================================================== + +:class:`~django.core.validators.URLValidator`, +:func:`~django.core.validators.validate_ipv4_address`, and +:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading +zeros in octal literals. If you used such values you could suffer from +indeterminate SSRF, RFI, and LFI attacks. + +:func:`~django.core.validators.validate_ipv4_address` and +:func:`~django.core.validators.validate_ipv46_address` validators were not +affected on Python 3.9.5+. diff --git a/docs/releases/3.2.4.txt b/docs/releases/3.2.4.txt index 7c1b195d00..496ea6ec3f 100644 --- a/docs/releases/3.2.4.txt +++ b/docs/releases/3.2.4.txt @@ -18,6 +18,19 @@ the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. +CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses +=========================================================================================================================== + +:class:`~django.core.validators.URLValidator`, +:func:`~django.core.validators.validate_ipv4_address`, and +:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading +zeros in octal literals. If you used such values you could suffer from +indeterminate SSRF, RFI, and LFI attacks. + +:func:`~django.core.validators.validate_ipv4_address` and +:func:`~django.core.validators.validate_ipv46_address` validators were not +affected on Python 3.9.5+. + Bugfixes ======== -- cgit v1.3