-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: python-django security update
Advisory ID:       RHSA-2016:0502-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:0502.html
Issue date:        2016-03-24
CVE Names:         CVE-2016-2512 CVE-2016-2513 
====================================================================
1. Summary:

An update for python-django is now available for Red Hat Enterprise Linux
OpenStack Platform 5.0 (Icehouse) for RHEL 6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6 - noarch

3. Description:

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

* An open-redirect flaw was found in the way Django's
django.utils.http.is_safe_url() function filtered authentication URLs. An
attacker able to trick a victim into visiting a crafted URL could use this
flaw to redirect that victim to a malicious site. (CVE-2016-2512)

* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher
performed password hashing. Passwords hashed with an older version of
PBKDF2PasswordHasher used less hashing iterations, and thus allowed an
attacker to enumerate existing users based on the time differences in the
login requests. (CVE-2016-2513)

Red Hat would like to thank the Django project for reporting these issues.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1311431 - CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
1311438 - CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6:

Source:
python-django-1.6.11-5.el6ost.src.rpm

noarch:
python-django-1.6.11-5.el6ost.noarch.rpm
python-django-bash-completion-1.6.11-5.el6ost.noarch.rpm
python-django-doc-1.6.11-5.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-2512
https://access.redhat.com/security/cve/CVE-2016-2513
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFW8z+6XlSAg2UNWIIRAr7aAKCwJi+JiLoOUoZOXwWkFF6Hne4yuwCfQPsZ
eHLLE2mOD0uBD6PDjkX6u4U=qC4D
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

RedHat: RHSA-2016-0502:01 Moderate: python-django security update

An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Summary

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-2512 https://access.redhat.com/security/cve/CVE-2016-2513 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6:
Source: python-django-1.6.11-5.el6ost.src.rpm
noarch: python-django-1.6.11-5.el6ost.noarch.rpm python-django-bash-completion-1.6.11-5.el6ost.noarch.rpm python-django-doc-1.6.11-5.el6ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2016:0502-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:0502.html
Issued Date: : 2016-03-24
CVE Names: CVE-2016-2512 CVE-2016-2513

Topic

An update for python-django is now available for Red Hat Enterprise LinuxOpenStack Platform 5.0 (Icehouse) for RHEL 6.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6 - noarch


Bugs Fixed

1311431 - CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

1311438 - CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade


Related News

5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved