Summary: | <dev-python/django-{1.8.18,1.9.13,1.10.7}: multiple vulnerabilities (CVE-2016-{9013,9014},CVE-2017-{7233,7234}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jlec, python |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ | ||
Whiteboard: | B3 [noglsa cve ] | ||
Package list: |
dev-python/django-1.8.18
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 576876, 589134, 595544 |
Description
Agostino Sarubbo
2016-11-02 11:01:57 UTC
CVE-2016-9014 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9014): Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. CVE-2016-9013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9013): Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. from: https://docs.djangoproject.com/en/1.11/releases/1.10.7/ CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs¶ Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) “safe” when they shouldn’t be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()¶ A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. (In reply to Manuel Rüger from comment #2) > from: https://docs.djangoproject.com/en/1.11/releases/1.10.7/ > CVE-2017-7233: Open redirect and possible XSS attack via user-supplied > numeric redirect URLs¶ > > Django relies on user input in some cases (e.g. > django.contrib.auth.views.login() and i18n) to redirect the user to an “on > success” URL. The security check for these redirects (namely > django.utils.http.is_safe_url()) considered some numeric URLs (e.g. > http:999999999) “safe” when they shouldn’t be. > > Also, if a developer relies on is_safe_url() to provide safe redirect > targets and puts such a URL into a link, they could suffer from an XSS > attack. > CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()¶ > > A maliciously crafted URL to a Django site using the serve() view could > redirect to any other domain. The view no longer does any redirects as they > don’t provide any known, useful functionality. > > Note, however, that this view has always carried a warning that it is not > hardened for production use and should be used only as a development aid. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()¶ A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. CVE-2017-7234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7234): A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. CVE-2017-7233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7233): Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. commit 6855253051c53fdcb07f62b792218550fa708bf8 Author: Justin Lecher <jlec@gentoo.org> Date: Sat Jun 3 20:33:58 2017 +0100 dev-python/django: Version Bump CVE-201{6-{2512,7401,9013,9014},7-{7233,7234}} Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=576876 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=589134 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=595544 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=598770 Package-Manager: Portage-2.3.6, Repoman-2.3.2 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855253051c53fdcb07f62b792218550fa708bf8 @ Arches, please test and mark stable =dev-python/django-1.8.18 x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. commit e7f02f88e81c7780c7996e7230008855e711e98e Author: Justin Lecher <jlec@gentoo.org> Date: Sat Jun 24 21:44:00 2017 +0200 dev-python/django: Drop vulnerable versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=598770 Package-Manager: Portage-2.3.3, Repoman-2.3.2 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7f02f88e81c7780c7996e7230008855e711e98e GLSA Vote: No Repository is clean, all done. |