[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 885-1] python-django security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.4.22-1+deb7u3
CVE ID         : CVE-2017-7233, CVE-2017-7234
Debian Bug     : #859515, #859516

It was discovered that there were two vulnerabilities in python-django, a
high-level Python web development framework.

CVE-2017-7233 (#859515): Open redirect and possible XSS attack via
user-supplied numeric redirect URLs. Django relies on user input in some cases
(e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely is_safe_url())
considered some numeric URLs (e.g.  http:999999999) "safe" when they shouldn't
be. Also, if a developer relied on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234 (#895516): Open redirect vulnerability in
django.views.static.serve; A maliciously crafted URL to a Django site using the
serve() view could redirect to any other domain. The view no longer does any
redirects as they don't provide any known, useful functionality.

For Debian 7 "Wheezy", this issue has been fixed in python-django version
1.4.22-1+deb7u3.

We recommend that you upgrade your python-django packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljksoIACgkQHpU+J9Qx
Hlj41RAAnngRzpAXXiIi5tB3ZcFwPLFCFtDwZXtmlphEZbY0EnRFNEnGFojdvUQ+
FDqN17xFmVZmn3fcdaOK2Z1+2e7P7+aeqri4B/hkmMgCm0lSNd1Hgxz3vaAOJLBy
UoPglnS6QnDKKECXZf3XBPGPAne71gjTMZYj5i6TR50N48fusuYGipAikgzmdv4U
uVMCTtXb/SkuHBEd8f0PgSpU3j0X7wO/mJDuXmdWyV8DG6sEiHU+qxLBZ5xVTaiU
3M+LxtW/bJaITo23ZWhhi/y3FBjYreGDTn3H39Uaj2HiUv1MbqVZPADX2J5sKJR+
DtjiaeM6nwofl6txrwze5vsZiO2NyZ64UP8QvnywBlzyyPunKHAfrpAeMNtO0K1A
UquhJhh/bRaLdC8vZt/+Ea9oc9cka5zAQIS/izYgSuy0X9sx0qEDi9i64MFMsmFn
Lp8Fw9kI06NvaNJ2sqigmBnBIy3bO6R6CvYRuWDRicb9WHwXXUaplEhMVE4RWUWD
iw7aOp6RSbWyOQK9DuPEtLhdPv02K5LE29U0LUtGlO8Q9gBtSgiIoHvDa/C8cUfs
Osq/gxjHt4kAhWa/Xe+Q9nGsenxRYnPRNX6AKrR0aIGZtHnA0LO7NP//i9VY62oa
MSdUShCgu0r5gYVM3pBJxPFJNLrC6U0RGIR9rVGDqnBhT5moNpk=
=cKLV
-----END PGP SIGNATURE-----


Reply to: