Security fix for CVE-2016-7401

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:2038 advisory.

    Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic     design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself)     principle.

    Security Fix(es):

    * A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie     parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this     update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to     mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265     but are possible to set using ''document.cookie''. (CVE-2016-7401)

    Red Hat would like to thank the upstream Django project for reporting this issue.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies. This allows other malicious websites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3089-1 advisory.

    Sergey Bobrov discovered that Django incorrectly parsed cookies when being used with Google Analytics. A     remote attacker could possibly use this issue to set arbitrary cookies leading to a CSRF protection     bypass.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:2042 advisory.

    Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic     design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself)     principle.

    The following packages have been upgraded to a newer upstream version: python-django (1.8.15).
    (BZ#1378621)

    Security Fix(es):

    * A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie     parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this     update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to     mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265     but are possible to set using ''document.cookie''. (CVE-2016-7401)

    Red Hat would like to thank the upstream Django project for reporting this issue.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for python3-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

Django Software Foundation reports :

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:2041 advisory.

    Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic     design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself)     principle.

    The following packages have been upgraded to a newer upstream version: python-django (1.8.15).
    (BZ#1378620)

    Security Fix(es):

    * A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie     parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this     update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to     mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265     but are possible to set using ''document.cookie''. (CVE-2016-7401)

    Red Hat would like to thank the upstream Django project for reporting this issue.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
93975	Fedora 24 : python-django (2016-5706eeb875)	Nessus	Fedora Local Security Checks	10/12/2016	1/11/2021	high
108640	openSUSE Security Update : python-Django (openSUSE-2018-317)	Nessus	SuSE Local Security Checks	3/27/2018	12/4/2024	critical
234413	RHEL 6 : python-django (RHSA-2016:2038)	Nessus	Red Hat Local Security Checks	4/15/2025	4/15/2025	high
93723	Debian DSA-3678-1 : python-django - security update	Nessus	Debian Local Security Checks	9/27/2016	1/11/2021	high
93774	Ubuntu 14.04 LTS / 16.04 LTS : Django vulnerability (USN-3089-1)	Nessus	Ubuntu Local Security Checks	9/28/2016	8/27/2024	high
93974	Fedora 23 : python-django (2016-3795497354)	Nessus	Fedora Local Security Checks	10/12/2016	1/11/2021	high
234416	RHEL 7 : python-django (RHSA-2016:2042)	Nessus	Red Hat Local Security Checks	4/15/2025	4/15/2025	high
108641	openSUSE Security Update : python3-Django (openSUSE-2018-318)	Nessus	SuSE Local Security Checks	3/27/2018	12/4/2024	critical
93755	FreeBSD : django -- CSRF protection bypass on a site with Google Analytics (bb022643-84fb-11e6-a4a1-60a44ce6887b)	Nessus	FreeBSD Local Security Checks	9/28/2016	1/4/2021	high
94815	Fedora 25 : python-django (2016-704e85cac2)	Nessus	Fedora Local Security Checks	11/15/2016	1/11/2021	high
234409	RHEL 7 : python-django (RHSA-2016:2041)	Nessus	Red Hat Local Security Checks	4/15/2025	4/15/2025	high

Detections

Analytics

Plugins Search

high

critical

high

high

high

high

high

critical

high

high

high