Security fix for CVE-2016-7401

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies. This allows other malicious websites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3089-1 advisory.

    Sergey Bobrov discovered that Django incorrectly parsed cookies when being used with Google Analytics. A     remote attacker could possibly use this issue to set arbitrary cookies leading to a CSRF protection     bypass.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Django Software Foundation reports :

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

This update for python3-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

ID	Name	Product	Family	Published	Updated	Severity
93975	Fedora 24 : python-django (2016-5706eeb875)	Nessus	Fedora Local Security Checks	10/12/2016	1/11/2021	high
108640	openSUSE Security Update : python-Django (openSUSE-2018-317)	Nessus	SuSE Local Security Checks	3/27/2018	12/4/2024	critical
93723	Debian DSA-3678-1 : python-django - security update	Nessus	Debian Local Security Checks	9/27/2016	1/11/2021	high
93774	Ubuntu 14.04 LTS / 16.04 LTS : Django vulnerability (USN-3089-1)	Nessus	Ubuntu Local Security Checks	9/28/2016	8/27/2024	high
93974	Fedora 23 : python-django (2016-3795497354)	Nessus	Fedora Local Security Checks	10/12/2016	1/11/2021	high
94815	Fedora 25 : python-django (2016-704e85cac2)	Nessus	Fedora Local Security Checks	11/15/2016	1/11/2021	high
93755	FreeBSD : django -- CSRF protection bypass on a site with Google Analytics (bb022643-84fb-11e6-a4a1-60a44ce6887b)	Nessus	FreeBSD Local Security Checks	9/28/2016	1/4/2021	high
108641	openSUSE Security Update : python3-Django (openSUSE-2018-318)	Nessus	SuSE Local Security Checks	3/27/2018	12/4/2024	critical

Detections

Analytics

Plugins Search

high

critical

high

high

high

high

high

critical