[SECURITY] [DLA 1842-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1842-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 01 Jul 2019 17:56:20 -0300
Message-id: <[🔎] 902095bf-fe44-48dd-8a95-0e8a97b0b9f6@www.fastmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.7.11-1+deb8u6
CVE ID         : CVE-2019-12308
Debian Bug     : #931316

It was discovered that the Django Python web development framework
did not correct identify HTTP connections when a reverse proxy
connected via HTTPS.

When deployed behind a reverse-proxy connecting to Django via HTTPS
django.http.HttpRequest.scheme would incorrectly detect client
requests made via HTTP as using HTTPS. This resulted in incorrect
results for is_secure(), and build_absolute_uri(), and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT.

HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is
configured, and the appropriate header is set on the request, for
both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP
requests, and that connects to Django via HTTPS, be sure to verify
that your application correctly handles code paths relying on scheme,
is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.

For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u6.

We recommend that you upgrade your python-django packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0abvYACgkQHpU+J9Qx
Hli6HQ//dSBNZSZJu42iLTzaj+4kcmu94/TeP5I9Ov4X9C0xBxMj//BQ0Iu48I8c
x0I7+6TOKYqi3vGafE9KdNkYV/C1HGPsnyohJvSA4YqWEPJ1cq7f3hhpcb31mEB3
ZgCtAEh9tcJ5UcS+P5XBmUOZikheM64G7vvMtK1UvC73e8M4Bbc+K1ie9OL1tebH
/jcPxtPj9aLpz9+g7mIUjGxllSp28NgoiUyhvsRL0iHfT1aFf1SmngHbBPiq8tPz
ZKnAYORTPgUt2GER4p3il23p64xY6BzyhHdHw8cQWCGqWN4x0WeIhre89Ve6eoI4
RT9BMIa43rjgfX3T21KkcSwBWu6pTRHYPwv3d2T6sAxGugLNnlZNLAHRKAXIvLx9
DIRHpe6z0iXEX4rpLXX0Nw5jxglBbv8/38r4TPyece6g3uJqZTbkJcANVfte6z7G
Yw2X7e/JUyQ3QIAxxPQRKvtCf8gmf7x3JzddvQAR+lAc3/+kggoe1v+y3lnKTYUr
R2JNptEN3ZRmYPuzGEEkJtYdIHTNhWHkSAkSTKHC6MIOhWFZzQoy8O5WmZNTd/gU
girJ/ASMlsV6xBnJimTFM+Rl9dgWVQ4SJQLf0qcsh3o9iUK5o1DKFQZ4AG6QZvEW
Ipe/rpzMOoKcS2pztZTE39tLKcQxTvN6dDUKLCRO9WgSINRtWiA=
=pmuj
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1837-2] rdesktop regression update
Next by Date: [SECURITY] [DLA 1843-1] pdns security update
Previous by thread: [SECURITY] [DLA 1837-2] rdesktop regression update
Next by thread: [SECURITY] [DLA 1843-1] pdns security update
Index(es):
- Date
- Thread