Bugzilla – Bug 1077714
VUL-0: CVE-2018-6188: python-Django: Notice of upcoming Django security releases (2.0.2, 1.11.10)
Last modified: 2024-06-18 17:40:01 UTC
CVE-2018-6188 Date: Thu, 25 Jan 2018 13:06:52 -0500 From: Tim Graham <timograham@gmail.com> Subject: [security@suse.de] Notice of upcoming Django security releases (2.0.2, 1.11.10) You're receiving this message because you are on the security prenotification list for the Django web framework; information about this list can be found in our security policy [1]. In accordance with that policy, a set of security releases will be issued on Thursday, February 1, 2018 around 1400 UTC. This message contains descriptions of the issues, descriptions of the changes which will be made to Django, and the patches which will be applied to Django. CVE-2018-6188: Information leakage in AuthenticationForm ======================================================== A regression in Django 1.11.8 made django.contrib.auth.forms.AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn't overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked. This issue is fixed with the caveat that AuthenticationForm can no longer raise the "This account is inactive." error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions. Affected versions ================= * Django master development branch * Django 2.0 and 2.0.1 * Django 1.11.8 and 1.11.9 Resolution ========== Included with this email is are patches implementing the change described above for each affected version of Django. On the release date, these patches will be applied to the Django development repository and the following releases will be issued along with disclosure of the issues: * Django 2.0.2 * Django 1.11.10 [1] https://www.djangoproject.com/security/ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6188
CRD: 2018-02-01 14:00
This does not seem to affected python-Django older than 1.11.8 as it was added there.
Public: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ openSUSE Factory affected, but we have no maintainer there. Would you be willing to take this one?
Done via https://build.opensuse.org/request/show/573722
And for python-Django1: https://build.opensuse.org/request/show/573723
This is an autogenerated message for OBS integration: This bug (1077714) was mentioned in https://build.opensuse.org/request/show/580902 Backports:SLE-12 / python-Django
This is an autogenerated message for OBS integration: This bug (1077714) was mentioned in https://build.opensuse.org/request/show/581630 Backports:SLE-12 / python-Django
openSUSE-SU-2018:0632-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1077714 CVE References: CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-6188 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): python-Django-1.11.10-5.1
This is an autogenerated message for OBS integration: This bug (1077714) was mentioned in https://build.opensuse.org/request/show/1068019 Backports:SLE-12-SP1 / python-Django
openSUSE-SU-2023:0077-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1077714,1102680,1208082,937524,952198,988420 CVE References: CVE-2015-3982,CVE-2015-5145,CVE-2015-5963,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-14574,CVE-2018-6188,CVE-2018-7536,CVE-2018-7537,CVE-2023-24580 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): python-Django-1.11.15-2.1