Bug 24348

python-django-1.11.20-1.mga7 uploaded for Cauldron by Stig-Ørjan.

Version: Cauldron => 6

Debian says that 1.7.x isn't affected, so that rules out 1.6.x:
https://security-tracker.debian.org/tracker/CVE-2019-6975

Ubuntu hasn't triaged the issue as of this posting:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6975.html

We can probably figure it out by looking at the commit that fixed it:
https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227

and see if the vulnerable code is present in 1.8.x.

Yes, the vulnerable code is present in 1.8.x.

Advisory:
========================

Updated python-django packages fix security vulnerability:

If django.utils.numberformat.format() -- used by contrib.admin as well as the
floatformat, filesizeformat, and intcomma templates filters -- received a
Decimal with a large number of digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format() (CVE-2019-6975).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
========================

Updated packages in core/updates_testing:
========================
python-django-1.8.19-1.2.mga6
python-django-bash-completion-1.8.19-1.2.mga6
python3-django-1.8.19-1.2.mga6
python-django-doc-1.8.19-1.2.mga6

from python-django-1.8.19-1.2.mga6.src.rpm

Assignee: bugsquad => qa-bugs

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 24173 for tests:
$ django-admin --help

Type 'django-admin help <subcommand>' for help on a specific subcommand.

Available subcommands:

[django]
    check
    compilemessages
    createcachetable
    dbshell
    diffsettings
etc ......
$ django-admin startproject testdjango
creates a folder testdjango and in it another folder testdjango and a file manage.py
$ cd testdjango/
$ python3 manage.py help

Type 'manage.py help <subcommand>' for help on a specific subcommand.

Available subcommands:

[auth]
    changepassword
    createsuperuser

[django]
    check
    compilemessages
    createcachetable
    dbshell
    diffsettings
etc.......
So works OK for python3
$ python manage.py runserver   
Performing system checks...

System check identified no issues (0 silenced).

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

February 12, 2019 - 14:27:19
Django version 1.8.19, using settings 'testdjango.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

With the server running, point a browser to http://localhost:8000/ and you should see:
"It worked!
 Congratulations on your first Django-powered page."
Is OK

$ cd
$ django-admin runserver
Traceback (most recent call last):
  File "/usr/bin/django-admin", line 5, in <module>
    management.execute_from_command_line()
and more errors like that, but I can sort of understand that, in that way the prog is not in the path anymore of the setup.

$ cd testdjango/
$ python3 manage.py runserver   
Performing system checks...

System check identified no issues (0 silenced).

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

February 12, 2019 - 14:30:54
Django version 1.8.19, using settings 'testdjango.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

The browser shows the same page as above, so OK.
Unless Lewis or someone else objects, I give it OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0086.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Ubuntu advisory from February 13 just for reference:
https://usn.ubuntu.com/3890-1/