Upstream has issued an advisory on June 3: https://www.djangoproject.com/weblog/2019/jun/03/security-releases/ The issue is fixed upstream in 1.11.21. Mageia 7 is also affected. Mageia 6 may be as well.
Whiteboard: (none) => MGA7TOO
Upstream has issued an advisory today (July 1): https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ The issue is fixed upstream in 1.11.22. Mageia 7 is also affected. Mageia 6 may be as well.
Summary: python-django new security issue CVE-2019-12308 => python-django new security issues CVE-2019-12308 and CVE-2019-12781
Upstream has issued an advisory on August 1: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ The issue is fixed upsteram in 1.11.23. Mageia 7 is also affected. Mageia 6 may be as well.
Status comment: (none) => Fixed upstream in 1.11.23Summary: python-django new security issues CVE-2019-12308 and CVE-2019-12781 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5]
Ubuntu advisory for the first two CVEs, from July 1: https://usn.ubuntu.com/4043-1/
Ubuntu advisory for the latter CVEs, from August 1: https://usn.ubuntu.com/4084-1/
openSUSE has issued an advisory for this on August 8: https://lists.opensuse.org/opensuse-updates/2019-08/msg00019.html
Upstream has issued an advisory today (December 2): https://www.djangoproject.com/weblog/2019/dec/02/security-releases/ The issue is fixed upstream in 2.2.8. Mageia 7 is not affected by this issue.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5] => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118Status comment: Fixed upstream in 1.11.23 => Fixed upstream in 1.11.23 and 2.2.8
CC: (none) => jani.valimaa
Upstream has issued an advisory today (December 18): https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ The issue is fixed upstream in 1.11.27 and 2.2.9.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844Status comment: Fixed upstream in 1.11.23 and 2.2.8 => Fixed upstream in 1.11.27 and 2.2.9
Ubuntu has issued an advisory for the latest CVE on December 19: https://usn.ubuntu.com/4224-1/
Upstream has issued an advisory today (February 3): https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ The issue is fixed upstream in 1.11.28 and 2.2.10.
Status comment: Fixed upstream in 1.11.27 and 2.2.9 => Fixed upstream in 1.11.28 and 2.2.10Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471
Ubuntu has issued an advisory for the latest issue on February 4: https://usn.ubuntu.com/4264-1/
Upstream has issued an advisory today (March 4): https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ The issue is fixed upstream in 1.11.29 and 2.2.11.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402Status comment: Fixed upstream in 1.11.28 and 2.2.10 => Fixed upstream in 1.11.29 and 2.2.11
Shlomi has uploaded python-django-2.2.11-1.mga8 for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => shlomif
Ubuntu has issued an advisory for the latest issue today (March 4): https://usn.ubuntu.com/4296-1/
Upstream has issued an advisory today (June 3): https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ The issues are fixed upstream in 2.2.13. Mageia 7 is not affected by these issues.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596Version: 7 => CauldronStatus comment: Fixed upstream in 1.11.29 and 2.2.11 => Fixed upstream in 1.11.29 and 2.2.13Whiteboard: (none) => MGA7TOO
python-django-2.2.13-1.mga8 uploaded for Cauldron by Nicolas.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => mageia
Nicolas also updated Mageia 7. python2-django-1.11.29-1.mga7 python-django-bash-completion-1.11.29-1.mga7 python3-django-1.11.29-1.mga7 python-django-doc-1.11.29-1.mga7 from python-django-1.11.29-1.mga7.src.rpm Advisory to come later.
Assignee: python => qa-bugsStatus comment: Fixed upstream in 1.11.29 and 2.2.13 => (none)
Performed the simple setup tests described at https://bugs.mageia.org/show_bug.cgi?id=17860 before and after the update for python and python3. Output similar to that reported on the earlier bug and identical across the update. The browser checks at localhost:8000/ confirmed that django is working as expected. Waiting for any further information from the advisory. If more tests are required shall revert to version 1.11.20.
CC: (none) => tarazed25
Advisory: ======================== Updated python-django packages fix security vulnerabilities: It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-12308). Gavin Wahl discovered that Django incorrectly handled HTTP detection when used behind a reverse-proxy. Client requests made via HTTP would cause incorrect API results and would not be redirected to HTTPS, contrary to expectations (CVE-2019-12781). It was discovered that Django incorrectly handled the Truncator function. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service (CVE-2019-14232). It was discovered that Django incorrectly handled the strip_tags function. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service (CVE-2019-14233). It was discovered that Django incorrectly handled certain lookups in the PostgreSQL support. A remote attacker could possibly use this issue to perform SQL injection attacks (CVE-2019-14234). It was discovered that Django incorrectly handled certain invalid UTF-8 octet sequences. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service (CVE-2019-14235). Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts (CVE-2019-19844). Simon Charette discovered that Django incorrectly handled input in the PostgreSQL module. A remote attacker could possibly use this to perform SQL injection attacks (CVE-2020-7471). Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform an SQL injection attack (CVE-2020-9402). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402 https://www.djangoproject.com/weblog/2019/jun/03/security-releases/ https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ https://usn.ubuntu.com/4043-1/ https://usn.ubuntu.com/4084-1/ https://usn.ubuntu.com/4224-1/ https://usn.ubuntu.com/4264-1/ https://usn.ubuntu.com/4296-1/
(In reply to David Walser from comment #14) > Upstream has issued an advisory today (June 3): > https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ > > The issues are fixed upstream in 2.2.13. > > Mageia 7 is not affected by these issues. Or maybe 1.11.x is no longer supported. Ubuntu has issued an advisory for this on June 3: https://usn.ubuntu.com/4381-1/ We probably need some patches.
Keywords: (none) => feedback
Yes, we do, and the backported fix for CVE-2020-13254 caused a regression, which Debian-LTS fixed: https://www.debian.org/lts/security/2020/dla-2233-2
CC: (none) => qa-bugsAssignee: qa-bugs => mageiaKeywords: feedback => (none)
Debian has issued an advisory for the last three CVEs today (June 18): https://www.debian.org/security/2020/dsa-4705
Upstream has issued an advisory on September 1: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/ The issues are fixed upstream in 2.2.16.
Whiteboard: (none) => MGA7TOOSummary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34]Version: 7 => Cauldron
Ubuntu has issued an advisory for the newest issues on September 1: https://ubuntu.com/security/notices/USN-4479-1 I believe Mageia 7 is affected because it has Python 3.7.
python-django-3.1.1-1.mga8 has been uploaded for Cauldron by Guillaume.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Status comment: (none) => Needs 5 more patches to be added
Upstream has issued an advisory on February 1: https://www.djangoproject.com/weblog/2021/feb/01/security-releases/ The issue is fixed upstream in 2.2.18 and 3.1.6.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34] => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281Whiteboard: (none) => MGA7TOOVersion: 7 => Cauldron
Ubuntu has issued an advisory for the newest issue on February 1: https://ubuntu.com/security/notices/USN-4715-1
freeze push asked
fixed in cauldron: python-django-3.1.6-1.mga8
Depends on: (none) => 28395
Upstream has issued an advisory on February 19: https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ The issue is fixed upstream in 2.1.19 and 3.1.7. Mageia 8 is in Bug 28395.
Status comment: Needs 5 more patches to be added => Needs 5+ more patches to be addedSummary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336
Ubuntu has issued an advisory for CVE-2021-23336 on February 22: https://ubuntu.com/security/notices/USN-4742-1
Depends on: (none) => 28802
Upstream has issued an advisory on April 6: https://www.djangoproject.com/weblog/2021/apr/06/security-releases/ The issue is fixed upstream in 3.1.8. Mageia 8 is in Bug 28802.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658
Upstream has issued an advisory on May 4: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ The issue is fixed upstream in 3.1.9. It won't fit in the bug title.
Summary: python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658 => python-django new security issues CVE-2019-12308, CVE-2019-12781, CVE-2019-1423[2-5], CVE-2019-19118, CVE-2019-19844, CVE-2020-7471, CVE-2020-9402. CVE-2020-13254. CVE-2020-13596, CVE-2020-2458[34], CVE-2021-3281, CVE-2021-23336, CVE-2021-28658, etc
Debian-LTS has issued an advisory for the last two issues on April 9: https://www.debian.org/lts/security/2021/dla-2622
Ubuntu has issued an advisory for the last two issues on April 6 and May 4: https://ubuntu.com/security/notices/USN-4902-1 https://ubuntu.com/security/notices/USN-4932-1
Upstream has issued an advisory on June 2: https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ The issues are fixed upstream in 3.1.12 and 3.2.4. Ubuntu has issued an advisory for this on June 2: https://ubuntu.com/security/notices/USN-4975-1
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: NEW => RESOLVED