A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.
External Reference: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ Upstream Patches: https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1 https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525 https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1611050] Affects: fedora-all [bug 1611052] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1611051]
Note that there is also: https://src.fedoraproject.org/rpms/python2-django1.11 And: https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)
This issue has been addressed in the following products: Red Hat Gluster Storage 3.4 for RHEL 7 Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265
Statement: This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package. Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. Although Red Hat Satellite 6 contains the vulnerable component, it is not affected by this flaw since the condition to exploit the vulnerability cannot be satisfied. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-django package.