Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3709 python-django security update 29 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Red Hat Operating System: Red Hat Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-14235 CVE-2019-14234 CVE-2019-14233 CVE-2019-14232 CVE-2019-12781 Reference: ESB-2020.1219 ESB-2019.3070 ESB-2019.2894 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4390 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-django security update Advisory ID: RHSA-2020:4390-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4390 Issue date: 2020-10-28 CVE Names: CVE-2019-12781 CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235 ===================================================================== 1. Summary: An update for python-django is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - noarch Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch 3. Description: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. Security Fix(es): * Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781) * backtracking in a regular expression in django.utils.text.Truncator leads to DoS (CVE-2019-14232) * the behavior of the underlying HTMLParser leading to DoS (CVE-2019-14233) * SQL injection possibility in key and index lookups for JSONField/HStoreField (CVE-2019-14234) * Potential memory exhaustion in django.utils.encoding.uri_to_iri() (CVE-2019-14235) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1724497 - CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS 1734405 - CVE-2019-14232 Django: backtracking in a regular expression in django.utils.text.Truncator leads to DoS 1734410 - CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS 1734417 - CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField 1734422 - CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri() 6. Package List: Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server: Source: python-django-1.11.27-1.el7ost.src.rpm noarch: python-django-bash-completion-1.11.27-1.el7ost.noarch.rpm python2-django-1.11.27-1.el7ost.noarch.rpm Red Hat OpenStack Platform 13.0: Source: python-django-1.11.27-1.el7ost.src.rpm noarch: python-django-bash-completion-1.11.27-1.el7ost.noarch.rpm python2-django-1.11.27-1.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-12781 https://access.redhat.com/security/cve/CVE-2019-14232 https://access.redhat.com/security/cve/CVE-2019-14233 https://access.redhat.com/security/cve/CVE-2019-14234 https://access.redhat.com/security/cve/CVE-2019-14235 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX5m7pdzjgjWX9erEAQiHUA/8C//T3mkHCVcm0h8HlFVf7PIDLAw2SXCT y4YCD7J9WX848OC+kzPSfWXjcP+thQ7kifQR+ilMOjeh5bBh7riuxVgYqWOZornH j10R6S6Po16IcQGYg+UWPPT1oIY+VAC7CcS3i6rRXrIsMlfOl+mYiAHcToiqY4Lw s0HFsciz4HntR6ln4iNYUa5xKK0/30mgFA7izJz7xy1ajkr0tTKw2hOXulHMkz+v XzlPzNAp5NcB6HVgsrqcqks+ilacyP41cJNPbMjhjnd4uik5XMx+ViQjZns7ja53 udhhD7PPm3jWHYU+HIhTaVVZiB9/f8dkFi539IlRC5LLMXaMs2dY50/y0TXo7tCX 78s2IKFmYJ2EHCP4J8HyzZRmiHcShJoA4fL6VhWOFtoQnHMPGLeRZnqlE5n8PtWa inPdAUJehkEmhPwcwsKHa9J4GqB2xxTg+utl0auKsCdl/yhBhTXAtSHrknuzVxqw mfvIkYJ0KUNvSSTfxhBLtKhg9acosX7yXYVlhYVdVacAQvXfKx+EF4t+tbFD2igR +AzoDWHtiqrBxNYoz9dsU7YNgFaZ6J48UntixMB2/kbbsK8T3iJu4tsf0coXeYLf w2RpsH0BaBHDYO4QwqZ2gtpXJ5SJAkOo9etj2zXq1b12vidXLzt+ej4Jj+Pr8Wy/ p1T5/B4M9KY= =yuqf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX5oUnONLKJtyKPYoAQiStg//X3nHTTyEK79XSJaDZnIoeeBxmIA3rY4T rS3qakZcEtHybgV8Cexlpmfq57+HygTmU1o8b5bpVyIAso/pmbtfwycUuW7BnJU4 3GzjHpgDyO3frhfk7joir0ivuBA9v9OKPpmAFsCHlaKVnL0VHDUjrH+GrcXeoZMD axicVjdUdrERJ7RHBXgHnStM6Q0ZjHPRdCPSnpm7nTrAm0Rug/mbb816V3HHXsZI nHC8lAPQaxSnCdaK6pqNFj4iOvWX35FiC6TvxluvEDzV0ZKSPNJmL6GQn0GNbvPY dsJeN52Tfj2kjwdpVsJraP8N8tUi49cIHr6tPxR8EochJbP22cJKMUTHYQXBV3Jy nwe5TSuBj9bHkLY/8roAY9SJKb0swYbmXvSFLMNDGf4AFYUcc5f6p1xsNIw2wSxM x4xcf1E94kWKy4TlNYAGPgvpDK+ioNx3kAOyCf7FWS2wTyh+u5wHG5hduUsTB2Q3 PceiHBGEd8qAj1KNanPRPNZilVr94zPyrcm5NUfGoFfmunnGv1Zp1J2vbJkgDd+F 56PorQmoKEmTdnEAURwbdTSH2M42vTnDfRWlBu5S1wXpn8Mcl7meCK0NILt3kxbu HJengc6xLFsLZwEjUcPHK8vaQ02SGPjjY73QAJs2W9RpXsDR0MAAoA6nyk1QhmaY c3CptBBJxGk= =OV3r -----END PGP SIGNATURE-----