Univention Bugzilla – Bug 47502
python-django: Multiple issues (4.3)
Last modified: 2018-08-15 13:14:47 CEST
New Debian python-django 1:1.10.7-2+deb9u2 fixes: This update addresses the following issue(s): * * In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. (CVE-2017-12794) * django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. (CVE-2018-14574) 1:1.10.7-2+deb9u2 (Fri, 03 Aug 2018 15:11:16 +0800) * Non-maintainer upload by the Security Team. * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting were both enabled, and if the project has a URL pattern that accepted any path ending in a slash then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500 page. This vulnerability did not affect production sites as they typically do not run with "DEBUG = True". * CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page (CVE-2017-12794) * CVE-2018-14574 django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)
--- mirror/ftp/4.3/unmaintained/4.3-1/source/python-django_1.10.7-2+deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/python-django_1.10.7-2+deb9u2.dsc @@ -1,3 +1,16 @@ +1:1.10.7-2+deb9u2 [Fri, 03 Aug 2018 15:11:16 +0800] Chris Lamb <lamby@debian.org>: + + * Non-maintainer upload by the Security Team. + * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware. + If the django.middleware.common.CommonMiddleware and the APPEND_SLASH + setting were both enabled, and if the project has a URL pattern that + accepted any path ending in a slash then a request to a maliciously crafted + URL of that site could lead to a redirect to another site, enabling + phishing and other attacks. (Closes: #905216) + * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500 + page. This vulnerability did not affect production sites as they typically + do not run with "DEBUG = True". (Closes: #874415) + 1:1.10.7-2+deb9u1 [Fri, 30 Mar 2018 09:32:16 +1100] Brian May <bam@debian.org>: * Non-maintainer upload by the LTS Team. <http://10.200.17.11/4.3-1/#6557579374633625312>
OK: patches OK: piuparts OK: yaml OK: errata-announce python-django.yaml [4.3-1] abd8fa735c Bug #47502: python-django 1:1.10.7-2+deb9u2 doc/errata/staging/python-django.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.3-1] 279f0474ff Bug #47502: python-django 1:1.10.7-2+deb9u2 doc/errata/staging/python-django.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
<http://errata.software-univention.de/ucs/4.3/192.html>