22727 – python-django new security issues CVE-2018-7536 and CVE-2018-7537

Bug 22727 - python-django new security issues CVE-2018-7536 and CVE-2018-7537

Summary: python-django new security issues CVE-2018-7536 and CVE-2018-7537

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-03-09 14:32 CET by David Walser
Modified:	2018-03-14 17:22 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	python-django-1.8.18-2.mga7.src.rpm
CVE:
Status comment:	Fixed upstream in 1.8.19

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-09 14:32:20 CET

Upstream has issued an advisory on March 6:
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

The issues are fixed upstream in 1.8.19.

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-03-09 14:32:34 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.8.19

Comment 1 Marja Van Waes 2018-03-09 21:49:04 CET

Assigning to the python stack maintainers

Assignee: bugsquad => python
CC: (none) => marja11

Stig-Ørjan Smelror 2018-03-10 22:45:45 CET

Assignee: python => smelror
CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2018-03-10 23:13:17 CET

Advisory
========

The python-django package has been updated to fix 2 security issues.


CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters.

CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters.


References
==========
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
https://security-tracker.debian.org/tracker/CVE-2018-7536
https://security-tracker.debian.org/tracker/CVE-2018-7537


Files
=====

These files are uploaded to core/updates_testing

python-django-1.8.19-1.mga6
python-django-bash-completion-1.8.19-1.mga6
python3-django-1.8.19-1.mga6
python-django-doc-1.8.19-1.mga6

from python-django-1.8.19-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: smelror => qa-bugs
Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2018-03-11 06:52:21 CET

The package has also been updated in Cauldron.

Comment 4 claire robinson 2018-03-11 10:14:08 CET

Advisory uploaded

Procedure: https://bugs.mageia.org/show_bug.cgi?id=17860#c7

Keywords: (none) => advisory, has_procedure

Comment 5 David Walser 2018-03-11 15:09:03 CET

Ubuntu has issued an advisory for this on March 6:
https://usn.ubuntu.com/3591-1/

Severity: normal => major

Comment 6 Len Lawrence 2018-03-12 11:43:00 CET

Mageia 6 :: x86_64

Clean update.
Following recommended test - comment 4.

$ django-admin startproject mysite
$ ls mysite
manage.py*  mysite

Continued to the point where the welcome message appears in the browser.
Ignored the exhortation to get to work...

This appears on the command line:
[12/Mar/2018 10:30:16] "GET / HTTP/1.1" 200 1767
[12/Mar/2018 10:30:16] "GET /favicon.ico HTTP/1.1" 404 1936
[12/Mar/2018 10:30:17] "GET /favicon.ico HTTP/1.1" 404 1936

Restarted the test from the beginning using python3 and observed the welcome message at localhost:8000/ in firefox.

Output was the same under both versions of python and agreed with the resiults of the tests for bug 17860.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 7 Len Lawrence 2018-03-13 08:53:19 CET

Validating this.  Would sysadmins please push to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-03-14 17:22:13 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.