Bug 1311431 (CVE-2016-2512)

Summary: CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, cbillett, chrisw, dallan, gkotton, jjoyce, jschluet, kbasil, kseifried, lars, lhh, lpeer, markmc, mburns, mrunge, rbryant, sclewis, security-response-team, slinaber, slong, tdecacqu, tomckay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 1.8.10, python-django 1.9.3 Doc Type: Bug Fix
Doc Text:
An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-08 00:56:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1314341, 1314342, 1314343, 1314344, 1314345, 1315207, 1315208, 1315209, 1315211, 1315213, 1315217, 1315218    
Bug Blocks: 1311442    
Attachments:
Description Flags
Upstream patch 1.8.x
none
Upstream patch 1.9.x
none
Upstream patch master none

Description Adam Mariš 2016-02-24 09:06:49 UTC 
It was found that django.utils.http.is_safe_url() used as security check for redirecting URLs considered some malicious URLs with basic authentication credentials "safe", e.g. http://mysite.example.com\@attacker.com would be considered safe. Relying on is_safe_url() to provide safe redirect targets and putting such URLs into link can lead also to XSS attack.
Comment 1 Adam Mariš 2016-02-24 09:29:29 UTC 
Created attachment 1130108 [details]
Upstream patch 1.8.x
Comment 2 Adam Mariš 2016-02-24 09:30:26 UTC 
Created attachment 1130110 [details]
Upstream patch 1.9.x
Comment 3 Adam Mariš 2016-02-24 09:31:15 UTC 
Created attachment 1130112 [details]
Upstream patch master
Comment 4 Adam Mariš 2016-02-26 14:10:36 UTC 
Commit message contains wrong CVE number, CVE-2016-2512 is correct.
Comment 6 Adam Mariš 2016-03-03 12:33:58 UTC 
External Reference:

https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Comment 8 Adam Mariš 2016-03-03 12:37:05 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1314343]
Comment 9 Adam Mariš 2016-03-03 12:37:14 UTC 
Created python-django15 tracking bugs for this issue:

Affects: epel-6 [bug 1314344]
Comment 10 Adam Mariš 2016-03-03 12:37:23 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1314342]
Affects: epel-7 [bug 1314345]
Comment 13 Summer Long 2016-03-08 05:42:28 UTC 
Acknowledgments:

Name: the Django project
Comment 14 Fedora Update System 2016-03-17 20:52:57 UTC 
python-django-1.8.11-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2016-03-17 21:20:49 UTC 
python-django-1.8.11-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2016-03-24 01:10:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:0506 https://rhn.redhat.com/errata/RHSA-2016-0506.html
Comment 17 errata-xmlrpc 2016-03-24 01:11:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:0505 https://rhn.redhat.com/errata/RHSA-2016-0505.html
Comment 18 errata-xmlrpc 2016-03-24 01:12:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:0504 https://rhn.redhat.com/errata/RHSA-2016-0504.html
Comment 19 errata-xmlrpc 2016-03-24 01:13:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0503 https://rhn.redhat.com/errata/RHSA-2016-0503.html
Comment 20 errata-xmlrpc 2016-03-24 01:13:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2016:0502 https://rhn.redhat.com/errata/RHSA-2016-0502.html
Comment 21 Fedora Update System 2016-03-29 17:57:29 UTC 
python-django-1.6.11-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.