[Python-modules-team] Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

Thu Aug 2 06:06:05 BST 2018

Hi Chris,

On Thu, Aug 02, 2018 at 03:42:41AM +0100, Chris Lamb wrote:
> Hi security team,
> 
> > python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
> 
> I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> update for Django:
> 
>   Source: python-django
>   Version: 1:1.10.7-2+deb9u2
>   Distribution: stretch-security
>   Urgency: high
>   Maintainer: Chris Lamb <lamby at debian.org>
>   Timestamp: 1533177448
>   Date: Thu, 02 Aug 2018 10:37:28 +0800
>   Closes: 905216
>   Changes:
>    python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
>    .
>      * Non-maintainer upload by the Security Team.
>      * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
>        If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
>        setting were both enabled, and if the project has a URL pattern that
>        accepted any path ending in a slash then a request to a maliciously crafted
>        URL of that site could lead to a redirect to another site, enabling
>        phishing and other attacks. (Closes: #905216)
> 
>        
> Let me know if I should go ahead and upload.

Thanks for preparing an update.

The debdiff looks good so far, were you able to test the resulting
package (in particular as well for the given case using
CommonMiddleware and APPEND_SLASH setting enabled)?

There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
relevant when "DEBUG = true". But as we do an update now via a DSA, we
can include this fix as well.

Regards,
Salvatore