ArchLinux: 201704-2: python-django: multiple issues
Summary
- CVE-2017-7233 (cross-site scripting)
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
“on success†URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) “safe†when they shouldn’t be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack.
- CVE-2017-7234 (open redirect)
A maliciously crafted URL to a Django site using the serve() view could
redirect to any other domain. The view no longer does any redirects as
they don’t provide any known, useful functionality.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a
development aid.
Resolution
Upgrade to 1.11-1.
# pacman -Syu "python-django>=1.11-1"
The problems have been fixed upstream in version 1.11.
References
https://docs.djangoproject.com/en/dev/releases/1.11/ https://security.archlinux.org/CVE-2017-7233 https://security.archlinux.org/CVE-2017-7234
Workaround
None.