| Summary: | python-django new security issue CVE-2016-7401 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/701999/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory | ||
| Source RPM: | python-django-1.8.14-1.mga5.src.rpm | CVE: | CVE-2016-7401 |
| Status comment: | |||
|
Description
David Walser
2016-09-26 21:03:49 CEST
David Walser
2016-09-26 21:03:58 CEST
Whiteboard:
(none) =>
MGA5TOO python-django-1.8.15-1.mga5.noarch.rpm python-django-bash-completion-1.8.15-1.mga5.noarch.rpm python3-django-1.8.15-1.mga5.noarch.rpm python-django-doc-1.8.15-1.mga5.noarch.rpm from python-django-1.8.15-1.mga5.src.rpm Are in 5/core/updates_testing Cauldron freeze push asked Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=17860#c7 Advisory CVE-2016-7401: CSRF protection bypass on a site with Google Analytics An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Ref : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7401 https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ CVE:
(none) =>
CVE-2016-7401
David Walser
2016-09-27 16:04:52 CEST
Version:
Cauldron =>
5
David Walser
2016-09-27 22:57:19 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/701999/ Testing MGA5-64 BEFORE update: python-django-1.8.14-1.mga5 python-django-doc-1.8.14-1.mga5 python3-django-1.8.14-1.mga5 python-django-bash-completion-1.8.14-1.mga5 Ran the tests as per https://bugs.mageia.org/show_bug.cgi?id=17860#c7 Python: $ django-admin startproject mysite $ cd mysite/ $ python manage.py runserver [1st go] Performing system checks... System check identified no issues (0 silenced). You have unapplied migrations; your app may not work properly until they are applied. Run 'python manage.py migrate' to apply them. March 04, 2016 - 18:58:12 Django version 1.8.10, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. ^C $ python manage.py migrate Operations to perform: [etc as shown in the reference, all OK] $ python manage.py runserver [2nd go] Performing system checks... System check identified no issues (0 silenced). March 04, 2016 - 18:58:46 Django version 1.8.10, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [ Point a browser to http://localhost:8000/ and you should see: "It worked! Congratulations on your first Django-powered page." ] ^C $ cd .. [To tidy up] $ rm -rf mysite/ -------- Python3: $ python3-django-admin startproject mysite $ cd mysite/ $ python3 manage.py runserver [1st go] [Same O/P as 1st such command as above] ^C $ python3 manage.py migrate [Same O/P as above all OK] $ python3 manage.py runserver [2nd go] [Same O/P and browser result as per 2nd such command above] ^C $ cd .. [To tidy up] $ rm -rf mysite/ ---------------------- AFTER update: python-django-bash-completion-1.8.15-1.mga5 python3-django-1.8.15-1.mga5 python-django-doc-1.8.15-1.mga5 python-django-1.8.15-1.mga5 Same results as before for both Python & Python3. This update looks OK. CC:
(none) =>
lewyssmith
Dave Hodgins
2016-10-04 13:41:27 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0334.html Status:
NEW =>
RESOLVED |