| Summary: | <dev-python/django-1.11.15: Open redirect possibility in CommonMiddleware (CVE-2018-14574) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python, vdupras |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2018/08/01/2 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
dev-python/django-1.11.15
|
Runtime testing required: | --- |
Agostino: I might need advice from a member of the security team here. Django doesn't track whether a vulnerability affects an unsupported version and django 1.8 isn't supported since april. Thus, I think it's reasonable to think that there are good chances for 1.8 to be affected. We still have 1.8 in the tree because it has a handful of revdeps. Do you think it's warranted to mask it ant its revdeps as a result of this bug? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f13e7efa803147e9f82a01b6f7a6a8193f707e81 commit f13e7efa803147e9f82a01b6f7a6a8193f707e81 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-01 17:53:00 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-01 17:57:17 +0000 dev-python/django: security bump to 1.11.15 and 2.0.8 Bug: https://bugs.gentoo.org/662580 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/django/Manifest | 3 +- dev-python/django/django-1.11.15.ebuild | 112 +++++++++++++++++++++ .../{django-2.0.7.ebuild => django-2.0.8.ebuild} | 0 3 files changed, 114 insertions(+), 1 deletion(-) amd64, x86, please stabilize: =dev-python/django-1.11.15 Thanks. x86 stable amd64 stable CVE-2018-14574 (https://nvd.nist.gov/vuln/detail/CVE-2018-14574): django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. GLSA vote: no The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=233e5e7a4367c06286ac946baa468dba3374b783 commit 233e5e7a4367c06286ac946baa468dba3374b783 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-06 11:48:45 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-06 11:48:45 +0000 dev-python/django: remove old and vulnerable Bug: https://bugs.gentoo.org/662580 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/django/Manifest | 1 - dev-python/django/django-1.11.14.ebuild | 112 -------------------------------- 2 files changed, 113 deletions(-) |
From ${URL} : Today the Django team issued 1.11.15 and 2.0.8 as part of our security process. These releases address a security issue, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ As a reminder, we ask that potential security issues be reported via private email to security@...ngoproject.com and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.