[3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.

validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384

3 files changed, 39 insertions, 0 deletions

diff --git a/docs/releases/2.2.24.txt b/docs/releases/2.2.24.txt
index 9bcf7037c4..1064fc53a0 100644
--- a/docs/releases/2.2.24.txt
+++ b/docs/releases/2.2.24.txt
@@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed.
 
 As a mitigation, path sanitation is now applied and only files within the
 template root directories can be loaded.
+
+CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
+===========================================================================================================================
+
+:class:`~django.core.validators.URLValidator`,
+:func:`~django.core.validators.validate_ipv4_address`, and
+:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
+zeros in octal literals. If you used such values you could suffer from
+indeterminate SSRF, RFI, and LFI attacks.
+
+:func:`~django.core.validators.validate_ipv4_address` and
+:func:`~django.core.validators.validate_ipv46_address` validators were not
+affected on Python 3.9.5+.
diff --git a/docs/releases/3.1.12.txt b/docs/releases/3.1.12.txt
index 7d8ee8447e..0700f40849 100644
--- a/docs/releases/3.1.12.txt
+++ b/docs/releases/3.1.12.txt
@@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed.
 
 As a mitigation, path sanitation is now applied and only files within the
 template root directories can be loaded.
+
+CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
+===========================================================================================================================
+
+:class:`~django.core.validators.URLValidator`,
+:func:`~django.core.validators.validate_ipv4_address`, and
+:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
+zeros in octal literals. If you used such values you could suffer from
+indeterminate SSRF, RFI, and LFI attacks.
+
+:func:`~django.core.validators.validate_ipv4_address` and
+:func:`~django.core.validators.validate_ipv46_address` validators were not
+affected on Python 3.9.5+.
diff --git a/docs/releases/3.2.4.txt b/docs/releases/3.2.4.txt
index 7c1b195d00..496ea6ec3f 100644
--- a/docs/releases/3.2.4.txt
+++ b/docs/releases/3.2.4.txt
@@ -18,6 +18,19 @@ the existence but also the file contents would have been exposed.
 As a mitigation, path sanitation is now applied and only files within the
 template root directories can be loaded.
 
+CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
+===========================================================================================================================
+
+:class:`~django.core.validators.URLValidator`,
+:func:`~django.core.validators.validate_ipv4_address`, and
+:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
+zeros in octal literals. If you used such values you could suffer from
+indeterminate SSRF, RFI, and LFI attacks.
+
+:func:`~django.core.validators.validate_ipv4_address` and
+:func:`~django.core.validators.validate_ipv46_address` validators were not
+affected on Python 3.9.5+.
+
 Bugfixes
 ========