Bug 24899

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658, etc
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, mageia, qa-bugs, shlomif, tarazed25
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: python-django-1.11.20-1.mga7.src.rpm CVE:
Status comment: Needs 5+ more patches to be added
Bug Depends on: 28395, 28802    
Bug Blocks:    

Description David Walser 2019-06-04 13:09:14 CEST 
Upstream has issued an advisory on June 3:
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/

The issue is fixed upstream in 1.11.21.

Mageia 7 is also affected.  Mageia 6 may be as well.
David Walser 2019-06-04 13:09:22 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-07-01 14:03:46 CEST 
Upstream has issued an advisory today (July 1):
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/

The issue is fixed upstream in 1.11.22.

Mageia 7 is also affected.  Mageia 6 may be as well.

Summary: python-django new security issue CVE-2019-12308 => python-django new security issues CVE-2019-12308 and CVE-2019-12781

Comment 2 David Walser 2019-08-06 12:58:00 CEST 
Upstream has issued an advisory on August 1:
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

The issue is fixed upsteram in 1.11.23.

Mageia 7 is also affected.  Mageia 6 may be as well.

Status comment: (none) => Fixed upstream in 1.11.23
Summary: python-django new security issues CVE-2019-12308 and CVE-2019-12781 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5]

Comment 3 David Walser 2019-08-11 23:21:21 CEST 
Ubuntu advisory for the first two CVEs, from July 1:
https://usn.ubuntu.com/4043-1/
Comment 4 David Walser 2019-08-12 01:28:08 CEST 
Ubuntu advisory for the latter CVEs, from August 1:
https://usn.ubuntu.com/4084-1/
Comment 5 David Walser 2019-11-26 18:27:45 CET 
openSUSE has issued an advisory for this on August 8:
https://lists.opensuse.org/opensuse-updates/2019-08/msg00019.html
Comment 6 David Walser 2019-12-02 14:08:58 CET 
Upstream has issued an advisory today (December 2):
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/

The issue is fixed upstream in 2.2.8.

Mageia 7 is not affected by this issue.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5] => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118
Status comment: Fixed upstream in 1.11.23 => Fixed upstream in 1.11.23 and 2.2.8

David Walser 2019-12-02 14:09:52 CET

CC: (none) => jani.valimaa

Comment 7 David Walser 2019-12-18 12:15:56 CET 
Upstream has issued an advisory today (December 18):
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

The issue is fixed upstream in 1.11.27 and 2.2.9.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844
Status comment: Fixed upstream in 1.11.23 and 2.2.8 => Fixed upstream in 1.11.27 and 2.2.9

Comment 8 David Walser 2019-12-20 21:22:22 CET 
Ubuntu has issued an advisory for the latest CVE on December 19:
https://usn.ubuntu.com/4224-1/
Comment 9 David Walser 2020-02-03 12:50:11 CET 
Upstream has issued an advisory today (February 3):
https://www.djangoproject.com/weblog/2020/feb/03/security-releases/

The issue is fixed upstream in 1.11.28 and 2.2.10.

Status comment: Fixed upstream in 1.11.27 and 2.2.9 => Fixed upstream in 1.11.28 and 2.2.10
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471

Comment 10 David Walser 2020-02-07 21:06:43 CET 
Ubuntu has issued an advisory for the latest issue on February 4:
https://usn.ubuntu.com/4264-1/
Comment 11 David Walser 2020-03-04 13:28:05 CET 
Upstream has issued an advisory today (March 4):
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

The issue is fixed upstream in 1.11.29 and 2.2.11.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402
Status comment: Fixed upstream in 1.11.28 and 2.2.10 => Fixed upstream in 1.11.29 and 2.2.11

Comment 12 David Walser 2020-03-04 15:14:29 CET 
Shlomi has uploaded python-django-2.2.11-1.mga8 for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => shlomif

Comment 13 David Walser 2020-03-04 23:59:19 CET 
Ubuntu has issued an advisory for the latest issue today (March 4):
https://usn.ubuntu.com/4296-1/
Comment 14 David Walser 2020-06-03 23:35:42 CEST 
Upstream has issued an advisory today (June 3):
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/

The issues are fixed upstream in 2.2.13.

Mageia 7 is not affected by these issues.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596
Version: 7 => Cauldron
Status comment: Fixed upstream in 1.11.29 and 2.2.11 => Fixed upstream in 1.11.29 and 2.2.13
Whiteboard: (none) => MGA7TOO

Comment 15 David Walser 2020-06-04 00:15:58 CEST 
python-django-2.2.13-1.mga8 uploaded for Cauldron by Nicolas.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Comment 16 David Walser 2020-06-04 00:17:54 CEST 
Nicolas also updated Mageia 7.

python2-django-1.11.29-1.mga7
python-django-bash-completion-1.11.29-1.mga7
python3-django-1.11.29-1.mga7
python-django-doc-1.11.29-1.mga7

from python-django-1.11.29-1.mga7.src.rpm


Advisory to come later.

Assignee: python => qa-bugs
Status comment: Fixed upstream in 1.11.29 and 2.2.13 => (none)

Comment 17 Len Lawrence 2020-06-09 18:32:32 CEST 
Performed the simple setup tests described at https://bugs.mageia.org/show_bug.cgi?id=17860 before and after the update for python and python3.
Output similar to that reported on the earlier bug and identical across the update.  The browser checks at localhost:8000/ confirmed that django is working as expected.

Waiting for any further information from the advisory.
If more tests are required shall revert to version 1.11.20.

CC: (none) => tarazed25

Comment 18 David Walser 2020-06-09 18:54:46 CEST 
Advisory:
========================

Updated python-django packages fix security vulnerabilities:

It was discovered that Django incorrectly handled certain inputs. An attacker
could possibly use this issue to execute arbitrary code (CVE-2019-12308).

Gavin Wahl discovered that Django incorrectly handled HTTP detection when used
behind a reverse-proxy. Client requests made via HTTP would cause incorrect
API results and would not be redirected to HTTPS, contrary to expectations
(CVE-2019-12781).

It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service (CVE-2019-14232).

It was discovered that Django incorrectly handled the strip_tags function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service (CVE-2019-14233).

It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to perform
SQL injection attacks (CVE-2019-14234).

It was discovered that Django incorrectly handled certain invalid UTF-8 octet
sequences. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service (CVE-2019-14235).

Simon Charette discovered that the password reset functionality in Django used
a Unicode case insensitive query to retrieve accounts associated with an email
address. An attacker could possibly use this to obtain password reset tokens
and hijack accounts (CVE-2019-19844).

Simon Charette discovered that Django incorrectly handled input in the
PostgreSQL module. A remote attacker could possibly use this to perform SQL
injection attacks (CVE-2020-7471).

Norbert Szetei discovered that Django incorrectly handled the GIS functions
and aggregates on Oracle. A remote attacker could possibly use this issue to
perform an SQL injection attack (CVE-2020-9402).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
https://usn.ubuntu.com/4043-1/
https://usn.ubuntu.com/4084-1/
https://usn.ubuntu.com/4224-1/
https://usn.ubuntu.com/4264-1/
https://usn.ubuntu.com/4296-1/
Comment 19 David Walser 2020-06-09 19:36:57 CEST 
(In reply to David Walser from comment #14)
> Upstream has issued an advisory today (June 3):
> https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
> 
> The issues are fixed upstream in 2.2.13.
> 
> Mageia 7 is not affected by these issues.

Or maybe 1.11.x is no longer supported.

Ubuntu has issued an advisory for this on June 3:
https://usn.ubuntu.com/4381-1/

We probably need some patches.

Keywords: (none) => feedback

Comment 20 David Walser 2020-06-12 22:19:29 CEST 
Yes, we do, and the backported fix for CVE-2020-13254 caused a regression, which Debian-LTS fixed:
https://www.debian.org/lts/security/2020/dla-2233-2

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia
Keywords: feedback => (none)

Comment 21 David Walser 2020-06-18 17:57:13 CEST 
Debian has issued an advisory for the last three CVEs today (June 18):
https://www.debian.org/security/2020/dsa-4705
Comment 22 David Walser 2020-09-02 14:52:58 CEST 
Upstream has issued an advisory on September 1:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

The issues are fixed upstream in 2.2.16.

Whiteboard: (none) => MGA7TOO
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34]
Version: 7 => Cauldron

Comment 23 David Walser 2020-09-03 21:55:08 CEST 
Ubuntu has issued an advisory for the newest issues on September 1:
https://ubuntu.com/security/notices/USN-4479-1

I believe Mageia 7 is affected because it has Python 3.7.
Comment 24 David Walser 2020-09-07 23:17:43 CEST 
python-django-3.1.1-1.mga8 has been uploaded for Cauldron by Guillaume.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

David Walser 2020-12-28 19:23:28 CET

Status comment: (none) => Needs 5 more patches to be added

Comment 25 David Walser 2021-02-02 18:31:28 CET 
Upstream has issued an advisory on February 1:
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

The issue is fixed upstream in 2.2.18 and 3.1.6.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34] => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron

Comment 26 David Walser 2021-02-02 18:32:22 CET 
Ubuntu has issued an advisory for the newest issue on February 1:
https://ubuntu.com/security/notices/USN-4715-1
Comment 27 Nicolas Lécureuil 2021-02-02 23:24:46 CET 
freeze push asked
Comment 28 Nicolas Lécureuil 2021-02-03 14:15:45 CET 
fixed in cauldron:

python-django-3.1.6-1.mga8

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

David Walser 2021-02-20 19:13:35 CET

Depends on: (none) => 28395

Comment 29 David Walser 2021-02-20 19:14:38 CET 
Upstream has issued an advisory on February 19:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

The issue is fixed upstream in 2.1.19 and 3.1.7.

Mageia 8 is in Bug 28395.

Status comment: Needs 5 more patches to be added => Needs 5+ more patches to be added
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336

Comment 30 David Walser 2021-02-26 19:29:37 CET 
Ubuntu has issued an advisory for CVE-2021-23336 on February 22:
https://ubuntu.com/security/notices/USN-4742-1
David Walser 2021-04-18 22:37:02 CEST

Depends on: (none) => 28802

Comment 31 David Walser 2021-04-18 22:37:40 CEST 
Upstream has issued an advisory on April 6:
https://www.djangoproject.com/weblog/2021/apr/06/security-releases/

The issue is fixed upstream in 3.1.8.

Mageia 8 is in Bug 28802.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658

Comment 32 David Walser 2021-05-15 00:24:32 CEST 
Upstream has issued an advisory on May 4:
https://www.djangoproject.com/weblog/2021/may/04/security-releases/

The issue is fixed upstream in 3.1.9.

It won't fit in the bug title.

Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658, etc

Comment 33 David Walser 2021-05-28 00:38:30 CEST 
Debian-LTS has issued an advisory for the last two issues on April 9:
https://www.debian.org/lts/security/2021/dla-2622
Comment 34 David Walser 2021-05-28 21:03:38 CEST 
Ubuntu has issued an advisory for the last two issues on April 6 and May 4:
https://ubuntu.com/security/notices/USN-4902-1
https://ubuntu.com/security/notices/USN-4932-1
Comment 35 David Walser 2021-06-06 19:53:43 CEST 
Upstream has issued an advisory on June 2:
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

The issues are fixed upstream in 3.1.12 and 3.2.4.

Ubuntu has issued an advisory for this on June 2:
https://ubuntu.com/security/notices/USN-4975-1
Comment 36 David Walser 2021-07-01 18:19:29 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED