ESB-2019.0057 - [Win][UNIX/Linux][Debian] python-django: Provide misleading information - Remote with user interaction - 2019-01-07


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0057
                       python-django security update
                              7 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3498  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running python-django check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.7.11-1+deb8u4
CVE ID         : CVE-2019-3498
Debian Bug     : #918230

It was discovered that there was a content-spoofing vulnerability in the
default 404 pages in the Django web development framework.

For more information, please see:

  https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

For Debian 8 "Jessie", this issue has been fixed in python-django
version 1.7.11-1+deb8u4.

We recommend that you upgrade your python-django packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlwyVjMACgkQHpU+J9Qx
Hlii2RAArou3FE/tuZDRzJq34JmyRg8VToxpSWIqSEyIFlqnzHwzPEHLb19LoRBe
hgSDjf9+Hzr72jjZhRbMyILJcLhjqvdMM+7xTTh/MUAckea4oAMD8U1NggcI/gK6
Evelr5mKUF9ItfTaD0uqQa6Ck+xg3V10XxcKMA9Arzk8yFe5jPnQIOhj3Y8roR0i
LcALPG/vO0jdIG0SA/q3P7j5Q+TjWp9lCwbJqFWyWnNy5mTdK19Ixud0y2BkX5KC
n57ksEdPfI+/CvQ1u3e18ZcfOxS9ICmoIr8cosrOnnZtVrb/m0SbmjlIbyLARYIu
morWh2l/oYaKSyDl2gbty+3VKMkd7qXrC14wCmar4N5ECg3aEwb1qhqyL3PjIEm4
gIIAidzDe61QE0S0tkmQaF1Ee7z6+rSRrTceeaA0u/94i0EM4s4wXyggsyQk5Zk+
GDBwZr23ut8cREZyPe5DZC+XHsgwErbRsAeCW/vclEFIGGjuWEU9zEBRZFiwBcVz
CitxNtA3dy+xiwlTpwdIjh6Hq2quFAoULIHUD90XSI3Ky3m0XBPWIJXe85Jef1Lq
72k/RShTK/AtHJzrTgKzP9BS6o/PlnE5BaPxAOX26xLpeWlZ9Uk6xJ2/qZXbKpG8
ppxW7iH6wlEgmkhO7KXNFf/ha/nWLIfQaHG4kSjN7uCvrXsgr+Y=
=uzAM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXDKi8maOgq3Tt24GAQgIAA//QfIU/lg7QlDhUg90as2Pt/panikP2b0G
Ms7hLGwMUs6LZP6jnZyBMgZSiNNReLFdrcQqt0TzCvAMR71Hc3ewa5Kk30QEir4F
jD6eCw5PzvHrxVSt/hFcoUCLCnVQSDox581Bqi3yBWvz2raFths0FQNCnnEhHSFV
O9J46jACp39w99DLRtkK52fvodUbu9osK8MRqrJ1wjlhjnsSJ0HFUeRVMNz4pNRu
bazTCLqHXhqQYYqR+KmfrojAVmbVuwD/kTRR03QcGrgFb+Wj2X18zux6dJ9Bugr0
dCGSO3MAFRhrFjCGQXi0o8n7Lqjw0YjlW+KgO0xiGDV+rXkPVA/iTBn/NQkjDZ1Z
d6X2X/ObL0GaAE/W6mSYU8c+xPw3r3IiF/YGpUYtJKn93wsv+IuuU41JUJblSxyK
CXnuY5AljQKYsAyKHxxQIcYiKqV1xabA30jUTYyL8Rwk1knsHjBM6vdUMRSSDgcG
Ft6R++8ZSNrPW0PnKEipTvOQ/7DBtJqA+X13UMWwXBkRJ1iR1HFMCVn70D5ZD4yP
RfQrJy5zg4nvFo8VhHK0ygM9Y3+xalWynLofadoWbSI5uXmSKDyBtD8s/G4g6lNT
63MdGkWk/zSoAslwvVATR548fPF3YKAkrzcmvP3SCD4G7Rgc6BZWMQhYUgAWdKHm
kJvQyeHCei0=
=FCvV
-----END PGP SIGNATURE-----