Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595544 (CVE-2016-7401) - <dev-python/django-{1.8.15,1.9.10}: CSRF protection bypass on a site with Google Analytics
Summary: <dev-python/django-{1.8.15,1.9.10}: CSRF protection bypass on a site with Goo...
Status: RESOLVED FIXED
Alias: CVE-2016-7401
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2016-9013, CVE-2016-9014, CVE-2017-7233, CVE-2017-7234
Blocks:
  Show dependency tree
 
Reported: 2016-09-29 14:19 UTC by Agostino Sarubbo
Modified: 2017-06-28 12:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-29 14:19:48 UTC
From ${URL} :

In accordance with our security release policy, the Django team is issuing Django 1.9.10 and 1.8.15. These release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2016-7401: CSRF protection bypass on a site with Google Analytics

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

Thanks Sergey Bobrov for reporting the issue.

Affected supported versions

Django 1.9
Django 1.8
Django 1.10 and the master development branch are not affected.

Per our supported versions policy, Django 1.7 and older are no longer receiving security updates.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-09-29 14:20:21 UTC
@maintainer: you need to mask 1.7.x
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2017-06-03 19:38:18 UTC
commit 6855253051c53fdcb07f62b792218550fa708bf8
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Jun 3 20:33:58 2017 +0100

    dev-python/django: Version Bump CVE-201{6-{2512,7401,9013,9014},7-{7233,7234}}

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=576876
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=589134
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=595544
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=598770
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855253051c53fdcb07f62b792218550fa708bf8
Comment 3 Thomas Deutschmann gentoo-dev 2017-06-28 12:58:43 UTC
All done, repository is clean.