ArchLinux: 201907-2: python-django: silent downgrade

    Date09 Jul 2019
    CategoryArchLinux
    364
    Posted ByLinuxSecurity Advisories
    The package python-django before version 2.2.3-1 is vulnerable to silent downgrade.
    Arch Linux Security Advisory ASA-201907-2
    =========================================
    
    Severity: High
    Date    : 2019-07-06
    CVE-ID  : CVE-2019-12781
    Package : python-django
    Type    : silent downgrade
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1000
    
    Summary
    =======
    
    The package python-django before version 2.2.3-1 is vulnerable to
    silent downgrade.
    
    Resolution
    ==========
    
    Upgrade to 2.2.3-1.
    
    # pacman -Syu "python-django>=2.2.3-1"
    
    The problem has been fixed upstream in version 2.2.3.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    An HTTP request is not redirected to HTTPS when the
    SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and
    the proxy connects to Django via HTTPS. In other words,
    django.http.HttpRequest.scheme has incorrect behavior when a client
    uses HTTP.
    
    Impact
    ======
    
    A remote attacker is able to perform a man-in-the-middle attack if a
    HTTP request is not redirected to HTTPS.
    
    References
    ==========
    
    https://docs.djangoproject.com/en/2.2/releases/2.2.3/
    https://www.openwall.com/lists/oss-security/2019/07/01/3
    https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6
    https://security.archlinux.org/CVE-2019-12781
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.