Upstream has issued an advisory today (September 26): https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ The issue is fixed in 1.8.15. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
python-django-1.8.15-1.mga5.noarch.rpm python-django-bash-completion-1.8.15-1.mga5.noarch.rpm python3-django-1.8.15-1.mga5.noarch.rpm python-django-doc-1.8.15-1.mga5.noarch.rpm from python-django-1.8.15-1.mga5.src.rpm Are in 5/core/updates_testing Cauldron freeze push asked Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=17860#c7 Advisory CVE-2016-7401: CSRF protection bypass on a site with Google Analytics An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Ref : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7401 https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
CVE: (none) => CVE-2016-7401Assignee: makowski.mageia => qa-bugsWhiteboard: MGA5TOO => MGA5TOO has_procedure
Version: Cauldron => 5Whiteboard: MGA5TOO has_procedure => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/701999/
Testing MGA5-64 BEFORE update: python-django-1.8.14-1.mga5 python-django-doc-1.8.14-1.mga5 python3-django-1.8.14-1.mga5 python-django-bash-completion-1.8.14-1.mga5 Ran the tests as per https://bugs.mageia.org/show_bug.cgi?id=17860#c7 Python: $ django-admin startproject mysite $ cd mysite/ $ python manage.py runserver [1st go] Performing system checks... System check identified no issues (0 silenced). You have unapplied migrations; your app may not work properly until they are applied. Run 'python manage.py migrate' to apply them. March 04, 2016 - 18:58:12 Django version 1.8.10, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. ^C $ python manage.py migrate Operations to perform: [etc as shown in the reference, all OK] $ python manage.py runserver [2nd go] Performing system checks... System check identified no issues (0 silenced). March 04, 2016 - 18:58:46 Django version 1.8.10, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [ Point a browser to http://localhost:8000/ and you should see: "It worked! Congratulations on your first Django-powered page." ] ^C $ cd .. [To tidy up] $ rm -rf mysite/ -------- Python3: $ python3-django-admin startproject mysite $ cd mysite/ $ python3 manage.py runserver [1st go] [Same O/P as 1st such command as above] ^C $ python3 manage.py migrate [Same O/P as above all OK] $ python3 manage.py runserver [2nd go] [Same O/P and browser result as per 2nd such command above] ^C $ cd .. [To tidy up] $ rm -rf mysite/ ---------------------- AFTER update: python-django-bash-completion-1.8.15-1.mga5 python3-django-1.8.15-1.mga5 python-django-doc-1.8.15-1.mga5 python-django-1.8.15-1.mga5 Same results as before for both Python & Python3. This update looks OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0334.html
Status: NEW => RESOLVEDResolution: (none) => FIXED