Bug 24128

Summary: python-django new security issue CVE-2019-3498
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, makowski.mageia, marja11, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: python-django-1.11.17-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 24173    

Description David Walser 2019-01-04 16:25:03 CET 
Upstream has issued an advisory today (January 4):
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

The issue is fixed upstream in 1.1.18.

As with Bug 23377, I don't know if Mageia 6 is affected, as 1.8.x is no longer supported.  Hopefully Ubuntu or someone will be able to determine that again.
Marja Van Waes 2019-01-05 16:32:14 CET

Assignee: bugsquad => python
CC: (none) => makowski.mageia, marja11, smelror

Comment 1 Stig-Ørjan Smelror 2019-01-06 16:21:53 CET 
Version 1.11.18 pushed to Cauldron.
Comment 2 David Walser 2019-01-06 17:44:19 CET 
It sounds like 1.8.x is affected from a comment on the Debian bug for this, so we would have to backport this patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a

Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2019-01-06 21:20:43 CET 
Advisory
========

An upstream patch has been backported to fix a security vulnerability in python-django.

CVE-2019-3498: Content spoofing possibility in the default 404 page

An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.

The URL path is no longer displayed in the default 404 template and the request_path context variable is now quoted to fix the issue for custom templates that use the path.

References
==========

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
https://security-tracker.debian.org/tracker/CVE-2019-3498

Files
=====

Uploaded to core/updates_testing

python-django-1.8.19-1.1.mga6
python-django-bash-completion-1.8.19-1.1.mga6
python3-django-1.8.19-1.1.mga6
python-django-doc-1.8.19-1.1.mga6

from python-django-1.8.19-1.1.mga6.src.rpm

Assignee: python => qa-bugs

Comment 4 Herman Viaene 2019-01-11 10:39:18 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 17860 Comment 7 for testing
Got exactly the same results as described in there, no point in repeating it all here (python and python3).
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2019-01-11 20:13:22 CET 
Thank you Herman. Pushing this on.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2019-01-11 22:09:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0035.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2019-01-13 18:08:03 CET

Blocks: (none) => 24173