Bug 20628

Summary: python-django new security issues CVE-2017-7233 and CVE-2017-7234
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, makowski.mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: python-django-1.8.16-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-04-05 12:01:09 CEST 
Upstream has issued an advisory on April 4:
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/

The issues are fixed in 1.8.18.

Mageia 5 is also affected.
David Walser 2017-04-05 12:01:17 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-04-05 12:04:00 CEST 
Ubuntu has issued an advisory for this on April 4:
https://www.ubuntu.com/usn/usn-3254-1/
Comment 2 Philippe Makowski 2017-04-05 15:10:29 CEST 
noted, I will upgrade mg5 and mga6 packages

Status: NEW => ASSIGNED

Comment 3 Marja Van Waes 2017-04-08 16:18:13 CEST 
Again, because this morning's changes got lost:


Copying Philippem's advisory etc from QA ml:

___________________________________________________________________________


python-django-1.8.16-1.1.mga5 in 5/core/updates_testing

packages :
python-django-1.8.16-1.1.mga5.noarch.rpm
python-django-bash-completion-1.8.16-1.1.mga5.noarch.rpm
python3-django-1.8.16-1.1.mga5.noarch.rpm
python-django-doc-1.8.16-1.1.mga5.noarch.rpm

from :
python-django-1.8.16-1.1.mga5.src.rpm


Advisory :

It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)

Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)


refs :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7234
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
http://www.ubuntu.com/usn/usn-3254-1

Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
Status: ASSIGNED => NEW
Version: Cauldron => 5
CC: (none) => makowski.mageia, marja11

Comment 4 Dave Hodgins 2017-04-09 01:33:57 CEST 
Tested as per https://bugs.mageia.org/show_bug.cgi?id=17860#c7
Advisory added to svn.
Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-04-14 21:41:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0106.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED