Bugzilla – Bug 1187785
VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
Last modified: 2021-07-01 08:15:07 UTC
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass
intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a
side effect of fixing #31426.
The issue is not present in the main branch as the deprecated path has been
This issue has High severity, according to the Django security policy .
* Django 3.2
* Django 3.1
Included with this email are patches implementing the changes described
above for each affected version of Django. On the release date, these patches
will be applied to the Django development repository and the following releases
will be issued along with disclosure of the issues:
* Django 3.2.5
* Django 3.1.13
Created attachment 850602 [details]
Upstream patch 3.1.x
Created attachment 850603 [details]
Upstream patch 3.2.x
- openSUSE:Factory/python-Django 3.2.4
Please upgrade to 3.2.5 as soon as it gets available.
based on the analysis from Keith, from SOC side there is nothing to be done, thus I'm assign it back to Security team.
I could not find info to confirm or deny that SOC is the maintainer of python-django in OBS. For the python-django versions that are used by SOC products there is no doubt, however for other versions I'm afraid SOC might not be the maintainer.
I'm still checking, but it might take time to get to a conclusive answer.
please check with "Alberto Planas Dominguez", he might know as he is the person for devel:languages:python
This is now public