Bugzilla – Bug 1185713
VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
Last modified: 2023-01-03 14:22:41 UTC
A flaw was found in Django. On Python 3.9.5+, ``URLValidator`` didn't prohibited newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because ``HttpResponse`` prohibit newlines in HTTP headers.
- SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Django 1.8.19
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django 1.11.29
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1 1.11.29
- openSUSE:Factory/python-Django 3.2
- master 
- 3.2 
- 3.1 
- 2.2 
Additional information .
We use Python 2 on all versions of SUSE OpenStack Cloud so this does not appear to affect us.
Hi Johannes, thanks to have pointed this out.
@Alberto, could you please fix this in Factory by bumping the package to version 3.2.2?
(In reply to Gianluca Gabrielli from comment #3)
> Hi Johannes, thanks to have pointed this out.
> @Alberto, could you please fix this in Factory by bumping the package to
> version 3.2.2?
There are some missing deps versions, as asgiref.
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.
Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
openSUSE Backports SLE-15-SP3 (src): python-Django-2.2.28-bp220.127.116.11