Bug 20628 - python-django new security issues CVE-2017-7233 and CVE-2017-7234
Summary: python-django new security issues CVE-2017-7233 and CVE-2017-7234
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-05 12:01 CEST by David Walser
Modified: 2017-04-14 21:41 CEST (History)
4 users (show)

See Also:
Source RPM: python-django-1.8.16-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-05 12:01:09 CEST 
Upstream has issued an advisory on April 4:
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/

The issues are fixed in 1.8.18.

Mageia 5 is also affected.
David Walser 2017-04-05 12:01:17 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-04-05 12:04:00 CEST 
Ubuntu has issued an advisory for this on April 4:
https://www.ubuntu.com/usn/usn-3254-1/
Comment 2 Philippe Makowski 2017-04-05 15:10:29 CEST 
noted, I will upgrade mg5 and mga6 packages

Status: NEW => ASSIGNED

Comment 3 Marja Van Waes 2017-04-08 16:18:13 CEST 
Again, because this morning's changes got lost:


Copying Philippem's advisory etc from QA ml:

___________________________________________________________________________


python-django-1.8.16-1.1.mga5 in 5/core/updates_testing

packages :
python-django-1.8.16-1.1.mga5.noarch.rpm
python-django-bash-completion-1.8.16-1.1.mga5.noarch.rpm
python3-django-1.8.16-1.1.mga5.noarch.rpm
python-django-doc-1.8.16-1.1.mga5.noarch.rpm

from :
python-django-1.8.16-1.1.mga5.src.rpm


Advisory :

It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)

Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)


refs :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7234
https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
http://www.ubuntu.com/usn/usn-3254-1

Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
Status: ASSIGNED => NEW
Version: Cauldron => 5
CC: (none) => makowski.mageia, marja11

Comment 4 Dave Hodgins 2017-04-09 01:33:57 CEST 
Tested as per https://bugs.mageia.org/show_bug.cgi?id=17860#c7
Advisory added to svn.
Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2017-04-14 21:41:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0106.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.