From ${URL} : Today the Django team issued 1.11.15 and 2.0.8 as part of our security process. These releases address a security issue, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ As a reminder, we ask that potential security issues be reported via private email to security@...ngoproject.com and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Agostino: I might need advice from a member of the security team here. Django doesn't track whether a vulnerability affects an unsupported version and django 1.8 isn't supported since april. Thus, I think it's reasonable to think that there are good chances for 1.8 to be affected. We still have 1.8 in the tree because it has a handful of revdeps. Do you think it's warranted to mask it ant its revdeps as a result of this bug?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f13e7efa803147e9f82a01b6f7a6a8193f707e81 commit f13e7efa803147e9f82a01b6f7a6a8193f707e81 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-01 17:53:00 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-01 17:57:17 +0000 dev-python/django: security bump to 1.11.15 and 2.0.8 Bug: https://bugs.gentoo.org/662580 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/django/Manifest | 3 +- dev-python/django/django-1.11.15.ebuild | 112 +++++++++++++++++++++ .../{django-2.0.7.ebuild => django-2.0.8.ebuild} | 0 3 files changed, 114 insertions(+), 1 deletion(-)
amd64, x86, please stabilize: =dev-python/django-1.11.15 Thanks.
x86 stable
amd64 stable
CVE-2018-14574 (https://nvd.nist.gov/vuln/detail/CVE-2018-14574): django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
GLSA vote: no
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=233e5e7a4367c06286ac946baa468dba3374b783 commit 233e5e7a4367c06286ac946baa468dba3374b783 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-06 11:48:45 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-06 11:48:45 +0000 dev-python/django: remove old and vulnerable Bug: https://bugs.gentoo.org/662580 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/django/Manifest | 1 - dev-python/django/django-1.11.14.ebuild | 112 -------------------------------- 2 files changed, 113 deletions(-)