[Python-modules-team] Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
Chris Lamb
lamby at debian.org
Thu Aug 2 03:42:41 BST 2018
Hi security team,
> python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
update for Django:
Source: python-django
Version: 1:1.10.7-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Chris Lamb <lamby at debian.org>
Timestamp: 1533177448
Date: Thu, 02 Aug 2018 10:37:28 +0800
Closes: 905216
Changes:
python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
setting were both enabled, and if the project has a URL pattern that
accepted any path ending in a slash then a request to a maliciously crafted
URL of that site could lead to a redirect to another site, enabling
phishing and other attacks. (Closes: #905216)
Let me know if I should go ahead and upload.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 905216_stretch.txt
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20180802/99cfadef/attachment.txt>
More information about the Python-modules-team
mailing list