Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1814-1 python-django

Debian Security Advisory

DLA-1814-1 python-django -- LTS security update

Date Reported:

05 Jun 2019

Affected Packages:

python-django

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-3498.

More information:

It was discovered that there was a cross-site scripting (XSS) vulnerability in the Django web development framework

• CVE-2019-12308

  An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

For Debian 8 Jessie, these problems have been fixed in version 1.7.11-1+deb8u5.

We recommend that you upgrade your python-django packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS