Operating System:

[RedHat]

Published:

17 January 2019

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2019.0145 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0145
                  Moderate: python-django security update
                              17 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7536  

Reference:         ESB-2018.3131
                   ESB-2018.0955
                   ESB-2018.0689
                   ESB-2018.0664

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:0051
   https://access.redhat.com/errata/RHSA-2019:0082

Comment: This bulletin contains two (2) security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: python-django security update
Advisory ID:       RHSA-2019:0051-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0051
Issue date:        2019-01-16
CVE Names:         CVE-2018-7536 
=====================================================================

1. Summary:

An update for python-django is now available for Red Hat OpenStack Platform
10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 10.0 - noarch

3. Description:

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

* django: Catastrophic backtracking in regular expressions via 'urlize' and
'urlizetrunc' (CVE-2018-7536)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the Django project for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'

6. Package List:

Red Hat OpenStack Platform 10.0:

Source:
python-django-1.8.19-1.el7ost.src.rpm

noarch:
python-django-1.8.19-1.el7ost.noarch.rpm
python-django-bash-completion-1.8.19-1.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-7536
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.

- -------------------------------------------------------------------------------

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: python-django security update
Advisory ID:       RHSA-2019:0082-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0082
Issue date:        2019-01-16
CVE Names:         CVE-2018-7536 
=====================================================================

1. Summary:

An update for python-django is now available for Red Hat OpenStack Platform
13.0 (Queens).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - noarch

3. Description:

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

* django: Catastrophic backtracking in regular expressions via 'urlize' and
'urlizetrunc' (CVE-2018-7536)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the Django project for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'

6. Package List:

Red Hat OpenStack Platform 13.0:

Source:
python-django-1.11.11-1.el7ost.src.rpm

noarch:
python-django-bash-completion-1.11.11-1.el7ost.noarch.rpm
python2-django-1.11.11-1.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-7536
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXD/NC2aOgq3Tt24GAQhjKA/+OfuPzfdB6gCXgQyXs4zUn4hcRgpVgGww
cHKIyC5zbem9QfgcLk/FBcOGcmh7683Z30v83eR6YiILUexKsqVwfwd8MgoTOosb
/zFT+dHW0t2i4/Ii/8LGoisFFni7zWqEGGLvLzbFlgrTBCCpMaGcFRHWO3NgF4xz
bW1Wggdh2fQygCuJXgTQAyg8/R208+clwhaxE9C4ETvLW0n/DcaJlBSB5GiFWPDT
EQPsZfFb7R2yF7GpwtscEEQRRBWv6wd2hLqtJHRRGqJ0jwXX+y/3FwYF9gehKCbl
s9HL19+/jDE7JNak5UaDg2if1Bag2OPve9aiB2y2JMmd5od82hdRmWTpVopV/0Xp
UAupkXVr9py6pvu+Qmf1qZGzg1G3eBUWw54WWVZu2P/hu9aX0Z2uDMiNoDWkO/oS
tpKqQpqqCry6P/RsKdCq8UgHJpRsBVseznGwvXkfIleMWGn4Onv0cuP+PkEKkWHu
IbxKAt1k1L8ie4+a03ZTCBsEkkiRooZn5PGZEcAirc2ZYH6CKulwtpbQ6NrYwXza
JDrWfeyfolR5EjSFa9CiCqCHlh4cffpIL4KANlwPGkx1Xmvhc9AxozoiDviawcSX
4OIuTUsRgJmv+KgdFilTRI7aM+EQePtzQOs00YtELoUnTF129/Ceo8bwnSMlUDz6
x4KtrP9WuF8=
=OEV+
-----END PGP SIGNATURE-----