public via oss-security:


https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing
`Django 3.1.6 <https://docs.djangoproject.com/en/dev/releases/3.1.6/>`_,
`Django 3.0.12 <https://docs.djangoproject.com/en/dev/releases/3.0.12/>`_ and
`Django 2.2.18 <https://docs.djangoproject.com/en/dev/releases/2.2.18/>`_.
These releases address the security issue with severity "low" detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-3281: Potential directory-traversal via ``archive.extract()``
======================================================================

The ``django.utils.archive.extract()`` function, used by
``startapp --template`` and ``startproject --template``, allowed
directory-traversal via an archive with absolute paths or relative paths with
dot segments.

Thank you to Wang Baohua for the report.

Affected supported versions
===========================

* Django master branch
* Django 3.2 (currently at alpha status)
* Django 3.1
* Django 3.0
* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch and
the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:

* On the `master branch <https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23>`__
* On the `3.2 release branch <https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed>`__
* On the `3.1 release branch <https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624>`__
* On the `3.0 release branch <https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a>`__
* On the `2.2 release branch <https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37>`__

The following releases have been issued:

* Django 3.1.6 (`download Django 3.1.6 <https://www.djangoproject.com/m/releases/3.1/Django-3.1.6.tar.gz>`_ | `3.1.6 checksums <https://www.djangoproject.com/m/pgp/Django-3.1.6.checksum.txt>`_)
* Django 3.0.12 (`download Django 3.0.12 <https://www.djangoproject.com/m/releases/3.0/Django-3.0.12.tar.gz>`_ | `3.0.12 checksums <https://www.djangoproject.com/m/pgp/Django-3.0.12.checksum.txt>`_)
* Django 2.2.18 (`download Django 2.2.18 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.18.tar.gz>`_ | `2.2.18 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.18.checksum.txt>`_)

The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@djangoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.

The python-Django packages in our upstream repositories are patched now:

https://build.opensuse.org/package/show/Cloud:OpenStack:Newton/python-Django
https://build.opensuse.org/package/show/Cloud:OpenStack:Pike/python-Django
https://build.opensuse.org/package/show/Cloud:OpenStack:Rocky/python-Django1

Updated packages for SUSE OpenStack Cloud will become available with the next maintenance updates as they make their way through QA.

SUSE-RU-2021:0351-1: An update that solves three vulnerabilities, contains 77 features and has four fixes is now available.

Category: recommended (important)
Bug References: 1048688,1164838,1177611,1179189,1179955,1180916,1181379
CVE References: CVE-2016-8611,CVE-2020-10743,CVE-2021-3281
JIRA References: SCRD-7737,SCRD-8255,SCRD-8294,SCRD-8462,SCRD-8705,SOC-10001,SOC-10010,SOC-10133,SOC-10150,SOC-10173,SOC-10191,SOC-10233,SOC-10288,SOC-10339,SOC-10348,SOC-10373,SOC-10378,SOC-10440,SOC-10453,SOC-10456,SOC-10549,SOC-10550,SOC-10623,SOC-10633,SOC-10636,SOC-10658,SOC-10660,SOC-10717,SOC-10740,SOC-10835,SOC-10844,SOC-10874,SOC-10877,SOC-10883,SOC-10887,SOC-10899,SOC-10952,SOC-11000,SOC-11006,SOC-11023,SOC-11028,SOC-11039,SOC-11052,SOC-11077,SOC-11079,SOC-11103,SOC-11117,SOC-11118,SOC-11119,SOC-11141,SOC-11176,SOC-11179,SOC-11190,SOC-11238,SOC-11240,SOC-11243,SOC-11248,SOC-11274,SOC-11286,SOC-11333,SOC-11429,SOC-5270,SOC-6354,SOC-7364,SOC-9288,SOC-9297,SOC-9298,SOC-9631,SOC-9632,SOC-9633,SOC-9636,SOC-9683,SOC-9695,SOC-9766,SOC-9767,SOC-9799,SOC-9849
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    crowbar-ha-5.0+git.1610564036.b75ee1b-3.35.1, crowbar-openstack-5.0+git.1610402513.08dca931e-4.49.1, kibana-4.6.3-3.6.1, openstack-neutron-11.0.9~dev69-3.40.1, openstack-neutron-doc-11.0.9~dev69-3.40.1, openstack-nova-16.1.9~dev78-3.45.1, openstack-nova-doc-16.1.9~dev78-3.45.1, python-Django-1.11.29-3.22.1, release-notes-suse-openstack-cloud-8.20201214-3.29.1, sleshammer-0.8.0-0.20.2, spark-1.6.3-8.6.1
SUSE OpenStack Cloud 8 (src):    ardana-horizon-8.0+git.1610733160.0f577f4-3.21.1, ardana-logging-8.0+git.1610573640.452aed1-3.27.1, ardana-monasca-8.0+git.1610740501.5dca121-3.27.1, ardana-mq-8.0+git.1605176800.52cccfa-3.29.1, ardana-osconfig-8.0+git.1610643571.91b88d6-3.52.1, kibana-4.6.3-3.6.1, openstack-neutron-11.0.9~dev69-3.40.1, openstack-neutron-doc-11.0.9~dev69-3.40.1, openstack-nova-16.1.9~dev78-3.45.1, openstack-nova-doc-16.1.9~dev78-3.45.1, python-Django-1.11.29-3.22.1, release-notes-suse-openstack-cloud-8.20201214-3.29.1, spark-1.6.3-8.6.1, venv-openstack-horizon-12.0.5~dev6-14.34.3, venv-openstack-neutron-11.0.9~dev69-13.36.1, venv-openstack-nova-16.1.9~dev78-11.34.1
HPE Helion Openstack 8 (src):    ardana-horizon-8.0+git.1610733160.0f577f4-3.21.1, ardana-logging-8.0+git.1610573640.452aed1-3.27.1, ardana-monasca-8.0+git.1610740501.5dca121-3.27.1, ardana-mq-8.0+git.1605176800.52cccfa-3.29.1, ardana-osconfig-8.0+git.1610643571.91b88d6-3.52.1, kibana-4.6.3-3.6.1, openstack-neutron-11.0.9~dev69-3.40.1, openstack-neutron-doc-11.0.9~dev69-3.40.1, openstack-nova-16.1.9~dev78-3.45.1, openstack-nova-doc-16.1.9~dev78-3.45.1, python-Django-1.11.29-3.22.1, release-notes-hpe-helion-openstack-8.20201214-3.29.1, spark-1.6.3-8.6.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.34.1, venv-openstack-neutron-11.0.9~dev69-13.36.1, venv-openstack-nova-16.1.9~dev78-11.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2021:0497-1: An update that solves one vulnerability, contains one feature and has 7 fixes is now available.

Category: recommended (important)
Bug References: 1048688,1149535,1179189,1179955,1180507,1181040,1181379,1181521
CVE References: CVE-2021-3281
JIRA References: SOC-11429
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1611320924.849e748ff-3.34.1, crowbar-openstack-6.0+git.1610402342.21499240d-3.31.1, kibana-4.6.3-4.6.1, openstack-dashboard-14.1.1~dev10-3.21.3, openstack-manila-7.4.2~dev60-4.33.2, openstack-neutron-13.0.8~dev147-3.34.2, openstack-neutron-gbp-12.0.1~dev16-3.22.2, openstack-nova-18.3.1~dev78-3.34.2, python-Django1-1.11.29-3.18.2, release-notes-suse-openstack-cloud-9.20201214-3.27.2, sleshammer-0.9.0-7.6.1
SUSE OpenStack Cloud 9 (src):    ardana-db-9.0+git.1611600773.5f1de5f-3.22.1, ardana-horizon-9.0+git.1610491814.38661c2-3.16.1, ardana-logging-9.0+git.1610490922.d5f9813-3.16.1, ardana-monasca-9.0+git.1610547641.d79ecfd-3.22.1, ardana-opsconsole-ui-9.0+git.1611867924.eb82818-4.16.1, ardana-osconfig-9.0+git.1610634027.5934cf8-3.25.1, kibana-4.6.3-4.6.1, openstack-dashboard-14.1.1~dev10-3.21.3, openstack-manila-7.4.2~dev60-4.33.2, openstack-neutron-13.0.8~dev147-3.34.2, openstack-neutron-gbp-12.0.1~dev16-3.22.2, openstack-nova-18.3.1~dev78-3.34.2, python-Django1-1.11.29-3.18.2, release-notes-suse-openstack-cloud-9.20201214-3.27.2, venv-openstack-horizon-14.1.1~dev10-4.25.2, venv-openstack-manila-7.4.2~dev60-3.27.2, venv-openstack-neutron-13.0.8~dev147-6.25.2, venv-openstack-nova-18.3.1~dev78-3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:1963-1: An update that fixes 10 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1044849,1179805,1181379,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2019-25025,CVE-2020-29651,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-3281,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-11435
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2, grafana-6.7.4-1.24.2, kibana-4.6.6-9.2, monasca-installer-20180608_12.47-16.2, python-Django-1.8.19-3.29.1, python-py-1.8.1-11.16.2, rubygem-activerecord-session_store-0.1.2-3.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Done.