Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 667456 (CVE-2018-16984) - <dev-python/django-2.1.2: Password hash disclosure to "view only" admin users
Summary: <dev-python/django-2.1.2: Password hash disclosure to "view only" admin users
Status: RESOLVED FIXED
Alias: CVE-2018-16984
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-01 15:37 UTC by Agostino Sarubbo
Modified: 2018-12-01 14:30 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-2.1.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-10-01 15:37:54 UTC
From ${URL} :

CVE-2018-16984: Password hash disclosure to "view only" admin users
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but not change) permission to the user model were 
displayed the entire hash. While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.

Thanks Phithon Gong for reporting this issue.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Virgil Dupras (RETIRED) gentoo-dev 2018-10-02 14:39:01 UTC
Yes it is. Arches, please stabilize dev-python/django-2.1.2. Thanks.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-02 21:01:46 UTC
amd64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-05 04:50:49 UTC
x86 stable
Comment 4 Larry the Git Cow gentoo-dev 2018-10-05 11:45:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=217a3daeb7e95e0830b744228d4bd6910ead5ec1

commit 217a3daeb7e95e0830b744228d4bd6910ead5ec1
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-05 11:44:01 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-05 11:44:01 +0000

    dev-python/django: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/667456
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 dev-python/django/Manifest            |  1 -
 dev-python/django/django-2.1.1.ebuild | 87 -----------------------------------
 2 files changed, 88 deletions(-)
Comment 5 Virgil Dupras (RETIRED) gentoo-dev 2018-10-05 11:47:12 UTC
Stabilization and cleanup done
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 22:46:06 UTC
(In reply to Virgil Dupras from comment #5)
> Stabilization and cleanup done

Virgil, I still see 2.0.9, was it unaffected?
Comment 7 Virgil Dupras (RETIRED) gentoo-dev 2018-12-01 13:45:46 UTC
Aaron, no, the 2.0.x and 1.11.x were not affected. Those two branches are still supported, so they would have been part of the advisory had they been affected.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-12-01 14:30:52 UTC
(In reply to Virgil Dupras from comment #7)
> Aaron, no, the 2.0.x and 1.11.x were not affected. Those two branches are
> still supported, so they would have been part of the advisory had they been
> affected.

Thank you!