Bug 1185713 - (CVE-2021-32052) VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibi...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-05-06 11:23 UTC by Gianluca Gabrielli
Modified: 2023-01-03 14:22 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-06 11:23:02 UTC

A flaw was found in Django. On Python 3.9.5+, ``URLValidator`` didn't prohibited newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because ``HttpResponse`` prohibit newlines in HTTP headers.

Comment 1 Gianluca Gabrielli 2021-05-06 11:27:19 UTC
Affected packages:

 - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Django   1.8.19
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29
 - openSUSE:Factory/python-Django                                3.2

Upstream patches:

 - master [0]
 - 3.2 [1]
 - 3.1 [2]
 - 2.2 [3]

Additional information [4].

[0] https://github.com/django/django/commit/e1e81aa1c4427411e3c68facdd761229ffea6f6f
[1] https://github.com/django/django/commit/2d2c1d0c97832860fbd6597977e2aae17dd7e5b2
[2] https://github.com/django/django/commit/afb23f5929944a407e4990edef1c7806a94c9879
[3] https://github.com/django/django/commit/d9594c4ea57b6309d93879805302cec9ae9f23ff
[4] https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Comment 2 Johannes Grassler 2021-05-06 15:49:07 UTC
We use Python 2 on all versions of SUSE OpenStack Cloud so this does not appear to  affect us.
Comment 3 Gianluca Gabrielli 2021-05-07 08:07:59 UTC
Hi Johannes, thanks to have pointed this out.

@Alberto, could you please fix this in Factory by bumping the package to version 3.2.2?
Comment 4 Alberto Planas Dominguez 2021-05-07 08:16:59 UTC
(In reply to Gianluca Gabrielli from comment #3)
> Hi Johannes, thanks to have pointed this out.
> @Alberto, could you please fix this in Factory by bumping the package to
> version 3.2.2?


There are some missing deps versions, as asgiref.
Comment 5 Swamp Workflow Management 2023-01-03 14:22:41 UTC
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1