| Summary: | <dev-python/django-{1.8.15,1.9.10}: CSRF protection bypass on a site with Google Analytics | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jlec, python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 598770 | ||
| Bug Blocks: | |||
@maintainer: you need to mask 1.7.x commit 6855253051c53fdcb07f62b792218550fa708bf8 Author: Justin Lecher <jlec@gentoo.org> Date: Sat Jun 3 20:33:58 2017 +0100 dev-python/django: Version Bump CVE-201{6-{2512,7401,9013,9014},7-{7233,7234}} Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=576876 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=589134 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=595544 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=598770 Package-Manager: Portage-2.3.6, Repoman-2.3.2 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855253051c53fdcb07f62b792218550fa708bf8 All done, repository is clean. |
From ${URL} : In accordance with our security release policy, the Django team is issuing Django 1.9.10 and 1.8.15. These release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2016-7401: CSRF protection bypass on a site with Google Analytics An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Thanks Sergey Bobrov for reporting the issue. Affected supported versions Django 1.9 Django 1.8 Django 1.10 and the master development branch are not affected. Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.