Bug 1377376 (CVE-2016-7401)
| Summary: | CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aortega, apevec, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, gmollett, hvyas, jjoyce, jschluet, kbasil, kseifried, lhh, lpeer, markmc, mburns, mrunge, rbryant, rhos-maint, sclewis, security-response-team, sisharma, slinaber, slong, srevivo, tdecacqu, tomckay |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | django 1.9.10, django 1.8.15 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-19 02:56:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1378620, 1378621, 1378622, 1378623, 1378624, 1378625, 1378626, 1378627, 1378628, 1378629, 1378630, 1379486, 1379487, 1379488, 1379489 | ||
| Bug Blocks: | 1377379 | ||
|
Description
Andrej Nemec
2016-09-19 13:56:57 UTC
Acknowledgments: Name: the upstream Django project Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1379487] Created python-django15 tracking bugs for this issue: Affects: epel-6 [bug 1379488] Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1379486] Affects: epel-7 [bug 1379489] Statement: This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django. Hi Eric, everything is now on QE so here are the last four: https://errata.devel.redhat.com/advisory/24936 https://errata.devel.redhat.com/advisory/24937 https://errata.devel.redhat.com/advisory/24939 https://errata.devel.redhat.com/advisory/24940 (In reply to Summer Long from comment #18) Reviewed and Approved. This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2016:2043 https://rhn.redhat.com/errata/RHSA-2016-2043.html This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:2042 https://rhn.redhat.com/errata/RHSA-2016-2042.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:2039 https://rhn.redhat.com/errata/RHSA-2016-2039.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:2038 https://rhn.redhat.com/errata/RHSA-2016-2038.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:2041 https://rhn.redhat.com/errata/RHSA-2016-2041.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:2040 https://rhn.redhat.com/errata/RHSA-2016-2040.html |