DebianDEBIAN:DLA-1842-1:F4FA5[SECURITY] [DLA 1842-1] python-django security update
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.7%
Package : python-django
Version : 1.7.11-1+deb8u6
CVE ID : CVE-2019-12308
Debian Bug : #931316
It was discovered that the Django Python web development framework
did not correct identify HTTP connections when a reverse proxy
connected via HTTPS.
When deployed behind a reverse-proxy connecting to Django via HTTPS
django.http.HttpRequest.scheme would incorrectly detect client
requests made via HTTP as using HTTPS. This resulted in incorrect
results for is_secure(), and build_absolute_uri(), and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT.
HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is
configured, and the appropriate header is set on the request, for
both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP
requests, and that connects to Django via HTTPS, be sure to verify
that your application correctly handles code paths relying on scheme,
is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.
For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u6.
We recommend that you upgrade your python-django packages.
Regards,
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | all | python-django-doc | <Â 1.7.11-1+deb8u5 | python-django-doc_1.7.11-1+deb8u5_all.deb |
| Debian | 8 | all | python-django | <Â 1.7.11-1+deb8u5 | python-django_1.7.11-1+deb8u5_all.deb |
| Debian | 8 | all | python3-django | <Â 1.7.11-1+deb8u6 | python3-django_1.7.11-1+deb8u6_all.deb |
| Debian | 9 | all | python3-django | <Â 1:1.10.7-2+deb9u5 | python3-django_1:1.10.7-2+deb9u5_all.deb |
| Debian | 8 | all | python3-django | <Â 1.7.11-1+deb8u5 | python3-django_1.7.11-1+deb8u5_all.deb |
| Debian | 8 | all | python-django-common | <Â 1.7.11-1+deb8u6 | python-django-common_1.7.11-1+deb8u6_all.deb |
| Debian | 8 | all | python-django-common | <Â 1.7.11-1+deb8u5 | python-django-common_1.7.11-1+deb8u5_all.deb |
| Debian | 8 | all | python-django | <Â 1.7.11-1+deb8u6 | python-django_1.7.11-1+deb8u6_all.deb |
| Debian | 8 | all | python-django-doc | <Â 1.7.11-1+deb8u6 | python-django-doc_1.7.11-1+deb8u6_all.deb |
| Debian | 9 | all | python-django | <Â 1:1.10.7-2+deb9u5 | python-django_1:1.10.7-2+deb9u5_all.deb |
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.007 Low
EPSS
Percentile
79.7%