[Python-modules-team] Bug#931316: python-django: CVE-2019-12308: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Salvatore Bonaccorso
carnil at debian.org
Mon Jul 1 19:43:48 BST 2019
Control: retitle -1 python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
On Mon, Jul 01, 2019 at 08:36:06PM +0200, Salvatore Bonaccorso wrote:
> Source: python-django
> Version: 1:1.11.21-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 2:2.2.1-1
> Control: found -1 1:1.10.7-2+deb9u4
> Control: found -1 1:1.10.7-1
This is correct.
> CVE-2019-12308[0]:
> | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before
> | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed
> | by the AdminURLFieldWidget displays the provided value without
> | validating it as a safe URL. Thus, an unvalidated value stored in the
> | database, or a value provided as a URL query parameter payload, could
> | result in an clickable JavaScript link.
This was plain wrong for this bugreport, apologies for that. This bug
is meant to track the following CVE:
CVE-2019-12781[0]
| Incorrect HTTP detection with reverse-proxy connecting via HTTPS
as per [1].
[0] https://security-tracker.debian.org/tracker/CVE-2019-12781
[1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Please do ignore the above CVE description which belongs to another
issue already fixed for python-django.
Regards,
Salvatore
More information about the Python-modules-team
mailing list