Bug 22727

Summary: python-django new security issues CVE-2018-7536 and CVE-2018-7537
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11, smelror, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: python-django-1.8.18-2.mga7.src.rpm CVE:
Status comment: Fixed upstream in 1.8.19

Description David Walser 2018-03-09 14:32:20 CET 
Upstream has issued an advisory on March 6:
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

The issues are fixed upstream in 1.8.19.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-09 14:32:34 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.8.19

Comment 1 Marja Van Waes 2018-03-09 21:49:04 CET 
Assigning to the python stack maintainers

Assignee: bugsquad => python
CC: (none) => marja11

Stig-Ørjan Smelror 2018-03-10 22:45:45 CET

Assignee: python => smelror
CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2018-03-10 23:13:17 CET 
Advisory
========

The python-django package has been updated to fix 2 security issues.


CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters.

CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters.


References
==========
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
https://security-tracker.debian.org/tracker/CVE-2018-7536
https://security-tracker.debian.org/tracker/CVE-2018-7537


Files
=====

These files are uploaded to core/updates_testing

python-django-1.8.19-1.mga6
python-django-bash-completion-1.8.19-1.mga6
python3-django-1.8.19-1.mga6
python-django-doc-1.8.19-1.mga6

from python-django-1.8.19-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: smelror => qa-bugs
Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2018-03-11 06:52:21 CET 
The package has also been updated in Cauldron.
Comment 4 claire robinson 2018-03-11 10:14:08 CET 
Advisory uploaded

Procedure: https://bugs.mageia.org/show_bug.cgi?id=17860#c7

Keywords: (none) => advisory, has_procedure

Comment 5 David Walser 2018-03-11 15:09:03 CET 
Ubuntu has issued an advisory for this on March 6:
https://usn.ubuntu.com/3591-1/

Severity: normal => major

Comment 6 Len Lawrence 2018-03-12 11:43:00 CET 
Mageia 6 :: x86_64

Clean update.
Following recommended test - comment 4.

$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite

Continued to the point where the welcome message appears in the browser.
Ignored the exhortation to get to work...

This appears on the command line:
[12/Mar/2018 10:30:16] "GET / HTTP/1.1" 200 1767
[12/Mar/2018 10:30:16] "GET /favicon.ico HTTP/1.1" 404 1936
[12/Mar/2018 10:30:17] "GET /favicon.ico HTTP/1.1" 404 1936

Restarted the test from the beginning using python3 and observed the welcome message at localhost:8000/ in firefox.

Output was the same under both versions of python and agreed with the resiults of the tests for bug 17860.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 7 Len Lawrence 2018-03-13 08:53:19 CET 
Validating this.  Would sysadmins please push to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-03-14 17:22:13 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED