Bugzilla – Bug 967999
VUL-0: CVE-2016-2512: python-django, python-Django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
Last modified: 2020-03-20 14:41:25 UTC
bugbot adjusting priority
public at https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like http://mysite.example.com\@attacker.com would be considered safe if the request's host is http://mysite.example.com, but redirecting to this URL sends the user to attacker.com. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Thanks Mark Striemer for reporting the issue. master: https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0 1.9: https://github.com/django/django/commit/fc6d147a63f89795dbcdecb0559256470fff4380 1.8: https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
This is an autogenerated message for OBS integration: This bug (967999) was mentioned in https://build.opensuse.org/request/show/589964 42.3 / python-Django
This is an autogenerated message for OBS integration: This bug (967999) was mentioned in https://build.opensuse.org/request/show/590768 42.3 / python3-Django
openSUSE-SU-2018:0824-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000 CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: openSUSE Leap 42.3 (src): python3-Django-1.8.19-5.3.1
openSUSE-SU-2018:0826-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000 CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: openSUSE Leap 42.3 (src): python-Django-1.8.19-6.4.1
SUSE-SU-2018:1102-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999 CVE References: CVE-2016-2512,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537 Sources used: SUSE OpenStack Cloud 6 (src): python-Django-1.8.19-3.6.1
It looks like python-Django package for both Devel:Cloud:6 & Devel:Cloud:7 have been updated to 1.8.19 to include the needed security fix: https://build.suse.de/package/show/Devel:Cloud:6/python-Django https://build.suse.de/package/show/Devel:Cloud:7/python-Django
@Holgi: I belief your team as to submit this.
Both SES4 and SES5 are on Django-1.6.11 - we cannot update to 1.8 since there is some incompatibility. Adding Tim and Lenz to share some more details in case this is necessary.
https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0 does actually appear to apply reasonably cleanly to Django 1.6.11 (except for the changes to the 1.8.10 and 1.9.3 release notes files, which obviously don't exist in 1.6.11), so I assume we can just add this patch to our old Django, rather than try to upgrade to 1.8.
Unfortunately openATTIC as shipped on SES is not compatible with newer Django versions and porting it to support newer version would be a major undertaking. Therefore I'm in favor with Tim's approach suggested in comment#16.
Tim just submitted to MRs: SES5: https://build.suse.de/request/show/167321 SES4: https://build.suse.de/request/show/167322
SUSE-SU-2018:1828-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1083304,1083305,967999 CVE References: CVE-2016-2512,CVE-2018-7536,CVE-2018-7537 Sources used: SUSE Enterprise Storage 4 (src): python-Django-1.6.11-5.5.1
SUSE-SU-2018:1830-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1083304,1083305,967999 CVE References: CVE-2016-2512,CVE-2018-7536,CVE-2018-7537 Sources used: SUSE Enterprise Storage 5 (src): python-Django-1.6.11-6.5.1
done