[Python-modules-team] Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
Chris Lamb
lamby at debian.org
Fri Aug 3 07:24:20 BST 2018
[adding 874415 at bugs.debian.org to CC]
Hi Salvatore,
> > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > can include this fix as well.
> >
> > That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> > another debdiff?
>
> Yes please.
Full diff attached. Please let me know if this is okay to upload.
Source: python-django
Version: 1:1.10.7-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Chris Lamb <lamby at debian.org>
Timestamp: 1533177448
Date: Thu, 02 Aug 2018 10:37:28 +0800
Closes: 874415 905216
Changes:
python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
setting were both enabled, and if the project has a URL pattern that
accepted any path ending in a slash then a request to a maliciously crafted
URL of that site could lead to a redirect to another site, enabling
phishing and other attacks. (Closes: #905216)
* CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500
page. This vulnerability did not affect production sites as they typically
do not run with "DEBUG = True". (Closes: #874415)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 905216_874415_stretch.txt
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20180803/11d85eab/attachment-0001.txt>
More information about the Python-modules-team
mailing list