Upstream has issued an advisory today (July 18): https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ The issue is fixed in 1.8.14. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this on July 18: https://www.debian.org/security/2016/dsa-3622
URL: (none) => http://lwn.net/Vulnerabilities/694868/
Updated packages uploaded for Mageia 5 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django packages fix security vulnerability: It was discovered that Django is prone to a cross-site scripting vulnerability in the admin's add/change related popup (CVE-2016-6186). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6186 https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ https://www.debian.org/security/2016/dsa-3622 ======================== Updated packages in core/updates_testing: ======================== python-django-1.8.14-1.mga5 python-django-bash-completion-1.8.14-1.mga5 python3-django-1.8.14-1.mga5 python-django-doc-1.8.14-1.mga from python-django-1.8.14-1.mga5.src.rpm
Version: Cauldron => 5Assignee: makowski.mageia => qa-bugsWhiteboard: MGA5TOO => has_procedure
MGA5-32 on Acer D620 Xfce No installation issues Used procedure as per bug 13251 Comment 6 and 13 at CLI as normal user $ django-admin startproject mysite $ cd mysite/ $ python manage.py runserver Performing system checks... System check identified no issues (0 silenced). You have unapplied migrations; your app may not work properly until they are applied. Run 'python manage.py migrate' to apply them. August 12, 2016 - 13:28:23 Django version 1.8.14, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [12/Aug/2016 13:28:55] "GET / HTTP/1.1" 200 1767 [12/Aug/2016 13:28:55] "GET /favicon.ico HTTP/1.1" 404 1936 [12/Aug/2016 13:28:55] "GET /favicon.ico HTTP/1.1" 404 1936 django previous versions were installed on this laptop, so $ python manage.py migrate Operations to perform: Synchronize unmigrated apps: staticfiles, messages Apply all migrations: admin, contenttypes, auth, sessions Synchronizing apps without migrations: Creating tables... Running deferred SQL... Installing custom SQL... Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying sessions.0001_initial... OK then python manage.py runserver Performing system checks... System check identified no issues (0 silenced). August 12, 2016 - 13:29:52 Django version 1.8.14, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [12/Aug/2016 13:30:01] "GET / HTTP/1.1" 200 1767 And I could access the page above.
CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0282.html
Status: NEW => RESOLVEDResolution: (none) => FIXED