ArchLinux: 201610-12: python2-django: cross-site request forgery
Summary
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
Resolution
Upgrade to 1.10.1-1.
# pacman -Syu "python2-django>=1.10.1-1"
The problem has been fixed upstream in version 1.10.1.
References
https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ https://access.redhat.com/security/cve/CVE-2016-7401
Workaround
None.