Bug 1187785 (CVE-2021-35042)

Summary: VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Alberto Planas Dominguez <aplanas>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: calmeidadeoliveira, jmoffitt, kberger, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/303032/
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Upstream patch 3.1.x
Upstream patch 3.2.x

Description Gianluca Gabrielli 2021-06-28 14:54:45 UTC
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass 
intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a 
side effect of fixing #31426.

The issue is not present in the main branch as the deprecated path has been

This issue has High severity, according to the Django security policy [1].

Affected versions

* Django 3.2
* Django 3.1


Included with this email are patches implementing the changes described 
above for each affected version of Django. On the release date, these patches 
will be applied to the Django development repository and the following releases 
will be issued along with disclosure of the issues:

* Django 3.2.5
* Django 3.1.13

[1] https://www.djangoproject.com/security/
Comment 3 Gianluca Gabrielli 2021-06-28 14:56:26 UTC
Created attachment 850602 [details]
Upstream patch 3.1.x
Comment 4 Gianluca Gabrielli 2021-06-28 14:56:50 UTC
Created attachment 850603 [details]
Upstream patch 3.2.x
Comment 5 Gianluca Gabrielli 2021-06-28 15:10:34 UTC
Affected package:
 - openSUSE:Factory/python-Django  3.2.4

Please upgrade to 3.2.5 as soon as it gets available.
Comment 8 Christian Almeida de Oliveira 2021-06-29 15:37:53 UTC
Hi @Gianluca
based on the analysis from Keith, from SOC side there is nothing to be done, thus I'm assign it back to Security team.
Comment 10 Christian Almeida de Oliveira 2021-06-30 08:03:06 UTC
Hi Gianluca,

I could not find info to confirm or deny that SOC is the maintainer of python-django in OBS. For the python-django versions that are used by SOC products there is no doubt, however for other versions I'm afraid SOC might not be the maintainer.
I'm still checking, but it might take time to get to a conclusive answer.

Comment 11 Christian Almeida de Oliveira 2021-06-30 08:14:32 UTC
please check with "Alberto Planas Dominguez", he might know as he is the person for devel:languages:python
Comment 14 Gianluca Gabrielli 2021-07-01 08:13:59 UTC
This is now public