Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589134 (CVE-2016-6186) - <dev-python/django-{1.8.14,1.9.9,1.10}: XSS in admin's add/change related popup
Summary: <dev-python/django-{1.8.14,1.9.9,1.10}: XSS in admin's add/change related popup
Status: RESOLVED FIXED
Alias: CVE-2016-6186
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: CVE-2016-2512 CVE-2016-9013, CVE-2016-9014, CVE-2017-7233, CVE-2017-7234
Blocks:
  Show dependency tree
 
Reported: 2016-07-19 07:39 UTC by Agostino Sarubbo
Modified: 2017-06-28 12:58 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-19 07:39:09 UTC
From ${URL} :

CVE-2016-6186: XSS in admin's add/change related popup

Unsafe usage of JavaScript's Element.innerHTML could result in XSS in the admin's add/change related popup. Element.textContent is now used to prevent 
execution of the data.

The debug view also used innerHTML. Although a security issue wasn't identified there, out of an abundance of caution it's also updated to use 
textContent.

Thanks Vulnerability Laboratory for reporting the issue and Paulo Alvarado for forwarding it to us.




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2016-08-07 07:29:11 UTC
I've bumped Django to 1.8.14 and 1.9.9, added 1.10 and removed 1.9.2 and 1.9.5.

@python: could you please handle stabilization of 1.8.14 and drop 1.8.9?
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2017-06-03 19:38:25 UTC
commit 6855253051c53fdcb07f62b792218550fa708bf8
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Jun 3 20:33:58 2017 +0100

    dev-python/django: Version Bump CVE-201{6-{2512,7401,9013,9014},7-{7233,7234}}

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=576876
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=589134
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=595544
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=598770
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855253051c53fdcb07f62b792218550fa708bf8
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-28 12:58:58 UTC
All done, repository is clean.