Debian Security Advisory
DLA-2233-1 python-django -- LTS security update
- Date Reported:
- 04 Jun 2020
- Affected Packages:
- python-django
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-13254, CVE-2020-13596.
- More information:
-
It was discovered that there were two issues in Django, the Python web development framework:
-
CVE-2020-13254: Potential data leakage via malformed memcached keys.
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
-
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget.
Query parameters to the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.
For more information, please see upstream's own announcment.
This upload also addresses test failures introduced in 1.7.11-1+deb8u3 and 1.7.11-1+deb8u8 via the fixes for CVE-2018-7537 and CVE-2019-19844 respectfully.
For Debian 8
Jessie
, these problems have been fixed in version 1.7.11-1+deb8u9.We recommend that you upgrade your python-django packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
-
CVE-2020-13254: Potential data leakage via malformed memcached keys.