Bug 1161919 (CVE-2020-7471)

Summary: VUL-0: CVE-2020-7471: python-Django,python-Django1 : Potential SQL injection via ``StringAgg(delimiter)``
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cloud-bugs, jmoffitt, kberger, lgrimmer, tbechtold, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/251898/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7471:7.6:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Alexandros Toptsoglou 2020-01-27 15:25:46 UTC 
CRD: 2020-02-03 (10:00 UTC)
Comment 3 Wolfgang Frisch 2020-01-27 15:30:20 UTC 
*** Bug 1161920 has been marked as a duplicate of this bug. ***
Comment 7 Alexandros Toptsoglou 2020-02-03 16:07:44 UTC 
Now public through oss 

https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>

In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing `Django 3.0.3 <https://docs.djangoproject.com/en/dev/releases/3.0.3/>`_, `Django 2.2.10 <https://docs.djangoproject.com/en/dev/releases/2.2.10/>`_ and `Django 1.11.28 <https://docs.djangoproject.com/en/dev/releases/1.11.28/>`_. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

Affected supported versions
===========================

* Django master branch
* Django 3.0
* Django 2.2
* Django 1.11

CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
===================================================================

``django.contrib.postgres.aggregates.StringAgg`` aggregation function was
subject to SQL injection, using a suitably crafted ``delimiter``.

Thank you to Simon Charette for the report and patch. 

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch and
the 3.0, 2.2, and 1.11 release branches. The patches may be obtained from the following changesets:

* On the `master branch <https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136>`__
* On the `3.0 release branch <https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b>`__
* On the `2.2 release branch <https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147>`__
* On the `1.11 release branch <https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd>`__

The following releases have been issued:

* Django 3.0.3 (`download Django 3.0.3 <https://www.djangoproject.com/m/releases/3.0/Django-3.0.3.tar.gz>`_ | `3.0.3 checksums <https://www.djangoproject.com/m/pgp/Django-3.0.3.checksum.txt>`_)
* Django 2.2.10 (`download Django 2.2.10 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.10.tar.gz>`_ | `2.2.10 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.10.checksum.txt>`_)
* Django 1.11.28 (`download Django 1.11.28 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.28.tar.gz>`_ | `1.11.28 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.28.checksum.txt>`_)

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@djangoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
Comment 8 Swamp Workflow Management 2020-02-04 10:50:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1161919) was mentioned in
https://build.opensuse.org/request/show/769928 Factory / python-Django
https://build.opensuse.org/request/show/769934 Factory / python-Django1
Comment 9 Swamp Workflow Management 2020-03-18 11:40:14 UTC 
This is an autogenerated message for OBS integration:
This bug (1161919) was mentioned in
https://build.opensuse.org/request/show/786136 Factory / python-Django
Comment 14 Swamp Workflow Management 2020-08-07 01:14:22 UTC 
SUSE-RU-2020:2161-1: An update that solves 24 vulnerabilities and has 10 fixes is now available.

Category: recommended (moderate)
Bug References: 1019111,1107190,1126503,1136928,1153191,1159046,1159447,1160151,1160152,1160153,1160192,1160790,1161088,1161089,1161670,1161919,1163446,1165022,1170657,1171070,1171071,1171072,1171273,1171594,1171909,1172166,1172167,1172409,1172522,1173413,1173416,1173418,1173420,1174006
CVE References: CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-19844,CVE-2019-19911,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10743,CVE-2020-10755,CVE-2020-10994,CVE-2020-11538,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5311,CVE-2020-5312,CVE-2020-5313,CVE-2020-7471,CVE-2020-8184,CVE-2020-9402
JIRA References: SOC-10029,SOC-10106,SOC-10124,SOC-10317,SOC-10357,SOC-11077,SOC-11082,SOC-11126,SOC-11176,SOC-11203,SOC-11209,SOC-11241,SOC-11243,SOC-11248,SOC-11249,SOC-11274,SOC-11279,SOC-11286,SOC-11289,SOC-11294,SOC-11297,SOC-11298,SOC-11299,SOC-11306,SOC-11314,SOC-11330,SOC-11341,SOC-11342,SOC-6780,SOC-9235,SOC-9775
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1594619891.b75a61d0d-3.25.5, crowbar-openstack-6.0+git.1591795073.49cb6400e-3.25.3, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, rubygem-activeresource-4.0.0-4.3.1, rubygem-json-1_7-1.7.7-4.3.1, rubygem-puma-2.16.0-4.9.1
SUSE OpenStack Cloud 9 (src):    ansible1-1.9.6-9.7.2, ardana-ansible-9.0+git.1591138508.e269bdb-3.22.2, ardana-cobbler-9.0+git.1588181228.bae3b1f-3.13.2, ardana-glance-9.0+git.1593631708.9354a78-3.13.2, ardana-input-model-9.0+git.1589740948.c24fc0b-3.19.2, ardana-logging-9.0+git.1591193994.d93b668-3.13.2, ardana-manila-9.0+git.1594158642.b5905e4-3.12.2, ardana-monasca-9.0+git.1589385256.7fbfaaf-3.19.2, ardana-mq-9.0+git.1593618110.cbd1a37-3.16.2, ardana-neutron-9.0+git.1590756257.e09d54f-3.22.2, ardana-octavia-9.0+git.1590079609.a2ae6ab-3.19.2, ardana-tempest-9.0+git.1593033709.9495bb2-3.16.2, grafana-6.2.5-3.12.2, kibana-4.6.3-4.3.2, openstack-barbican-7.0.1~dev24-3.9.5, openstack-ceilometer-11.1.1~dev7-3.16.3, openstack-cinder-13.0.10~dev12-3.22.4, openstack-dashboard-14.1.1~dev6-3.15.5, openstack-designate-7.0.2~dev2-3.19.3, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.6.2, openstack-ironic-11.1.5~dev6-3.19.3, openstack-keystone-14.2.1~dev4-3.22.3, openstack-magnum-7.2.1~dev1-3.13.3, openstack-manila-7.4.2~dev31-4.24.3, openstack-monasca-agent-2.8.2~dev5-3.9.3, openstack-neutron-13.0.8~dev68-3.25.3, openstack-neutron-vsphere-2.0.1~dev167-3.3.3, openstack-nova-18.3.1~dev38-3.25.4, openstack-octavia-3.2.3~dev7-3.25.3, openstack-octavia-amphora-image-0.1.4-7.12.3, openstack-resource-agents-1.0+git.1569436425.8b9c49f-5.3.2, python-Django1-1.11.29-3.15.2, python-Pillow-5.2.0-3.3.2, python-ardana-packager-0.0.3-9.3.2, python-heatclient-1.16.3-3.3.3, python-neutron-tempest-plugin-0.2.0-3.3.2, python-octavia-tempest-plugin-0.2.0-3.3.2, python-os-brick-2.5.10-3.12.3, python-oslo.messaging-8.1.4-3.6.2, python-pyroute2-0.5.2-4.3.2, python-urllib3-1.23-3.12.2, python-waitress-1.4.3-3.3.1, release-notes-suse-openstack-cloud-9.20200610-3.21.4, venv-openstack-barbican-7.0.1~dev24-3.19.3, venv-openstack-cinder-13.0.10~dev12-3.19.2, venv-openstack-designate-7.0.2~dev2-3.19.2, venv-openstack-glance-17.0.1~dev30-3.17.2, venv-openstack-heat-11.0.3~dev35-3.19.2, venv-openstack-horizon-14.1.1~dev6-4.18.3, venv-openstack-ironic-11.1.5~dev6-4.15.2, venv-openstack-keystone-14.2.1~dev4-3.19.2, venv-openstack-magnum-7.2.1~dev1-4.19.2, venv-openstack-manila-7.4.2~dev31-3.21.2, venv-openstack-monasca-2.7.1~dev10-3.17.3, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.19.2, venv-openstack-neutron-13.0.8~dev68-6.19.2, venv-openstack-nova-18.3.1~dev38-3.19.3, venv-openstack-octavia-3.2.3~dev7-4.19.2, venv-openstack-sahara-9.0.2~dev15-3.19.2, venv-openstack-swift-2.19.2~dev48-2.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-11-12 17:22:22 UTC 
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Jeremy Moffitt 2020-11-12 19:32:16 UTC 
the SOC fixes have been published:
SOC 8 via Nov 12 2020 MU
SOC 9 via Aug 6 2020 MU

SOC7 was not impacted per comments above. 

Re-assigning back to security team.
Comment 21 Wolfgang Frisch 2020-12-09 16:06:55 UTC 
Released.