Upstream has issued an advisory today (January 4):
The issue is fixed upstream in 1.1.18.
As with Bug 23377, I don't know if Mageia 6 is affected, as 1.8.x is no longer supported. Hopefully Ubuntu or someone will be able to determine that again.
makowski.mageia, marja11, smelror
Version 1.11.18 pushed to Cauldron.
It sounds like 1.8.x is affected from a comment on the Debian bug for this, so we would have to backport this patch:
An upstream patch has been backported to fix a security vulnerability in python-django.
CVE-2019-3498: Content spoofing possibility in the default 404 page
An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
The URL path is no longer displayed in the default 404 template and the request_path context variable is now quoted to fix the issue for custom templates that use the path.
Uploaded to core/updates_testing
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 17860 Comment 7 for testing
Got exactly the same results as described in there, no point in repeating it all here (python and python3).
OK for me.
Thank you Herman. Pushing this on.
An update for this issue has been pushed to the Mageia Updates repository.