Back to bug 1311431
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Adam Mariš | 2016-02-24 09:06:49 UTC | CC | security-response-team | |
| Red Hat Bugzilla | 2016-02-24 09:06:49 UTC | Doc Type | --- | Bug Fix |
| Adam Mariš | 2016-02-24 09:33:51 UTC | Blocks | 1311442 | |
| Adam Mariš | 2016-03-03 12:35:23 UTC | Summary | EMBARGOED CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth | CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth |
| Adam Mariš | 2016-03-03 12:35:29 UTC | Group | security, qe_staff | |
| Adam Mariš | 2016-03-03 12:36:06 UTC | Depends On | 1314341 | |
| Adam Mariš | 2016-03-03 12:36:17 UTC | Depends On | 1314342 | |
| Adam Mariš | 2016-03-03 12:36:29 UTC | Depends On | 1314343 | |
| Adam Mariš | 2016-03-03 12:36:34 UTC | Depends On | 1314344 | |
| Adam Mariš | 2016-03-03 12:36:41 UTC | Depends On | 1314345 | |
| Adam Mariš | 2016-03-07 09:18:14 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Adam Mariš | 2016-03-07 09:21:17 UTC | Depends On | 1315207 | |
| Adam Mariš | 2016-03-07 09:21:28 UTC | Depends On | 1315208 | |
| Adam Mariš | 2016-03-07 09:21:40 UTC | Depends On | 1315209 | |
| Adam Mariš | 2016-03-07 09:21:52 UTC | Depends On | 1315211 | |
| Adam Mariš | 2016-03-07 09:22:05 UTC | Depends On | 1315213 | |
| Adam Mariš | 2016-03-07 09:28:25 UTC | Depends On | 1315217 | |
| Adam Mariš | 2016-03-07 09:28:35 UTC | Depends On | 1315218 | |
| Summer Long | 2016-03-08 05:42:28 UTC | CC | slong | |
| Summer Long | 2016-03-11 00:12:41 UTC | Doc Text | An open-redirect vulnerability was found in Django. The django.utils.http.is_safe_url() function used as a security check for redirecting URLs did not sufficiently filter authentication URLS. For example, an attacker could use the http://mysite.example.com\@attacker.com URL to redirect users to a malicious site. The flaw could also possibly be used for an XSS attack. | |
| Summer Long | 2016-03-21 23:30:36 UTC | Doc Text | An open-redirect vulnerability was found in Django. The django.utils.http.is_safe_url() function used as a security check for redirecting URLs did not sufficiently filter authentication URLS. For example, an attacker could use the http://mysite.example.com\@attacker.com URL to redirect users to a malicious site. The flaw could also possibly be used for an XSS attack. | An open-redirect vulnerability was found in Django. The django.utils.http.is_safe_url() function used as a security check for redirecting URLs did not sufficiently filter authentication URLS. For example, an attacker could use the following URL to redirect users to a malicious site: http://mysite.example.com\@attacker.com The flaw could also possibly be used for an XSS attack. |
| Martin Prpič | 2016-03-22 10:16:43 UTC | Doc Text | An open-redirect vulnerability was found in Django. The django.utils.http.is_safe_url() function used as a security check for redirecting URLs did not sufficiently filter authentication URLS. For example, an attacker could use the following URL to redirect users to a malicious site: http://mysite.example.com\@attacker.com The flaw could also possibly be used for an XSS attack. | An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. |
| Summer Long | 2016-04-08 00:56:01 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-04-07 20:56:01 UTC | |||
| Summer Long | 2016-04-08 05:53:09 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Perry Myers | 2016-04-26 23:47:19 UTC | CC | pmyers | |
| Joshua Padman | 2018-09-24 01:48:05 UTC | CC | jjoyce, kbasil, mburns, slinaber | |
| Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=wontfix,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | ||
| Joshua Padman | 2018-09-24 03:33:28 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=wontfix,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Product Security DevOps Team | 2019-09-29 13:44:17 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-601,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
Back to bug 1311431