Bug 1724497 (CVE-2019-12781)
| Summary: | CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apevec, bbuckingham, bcourt, bkearney, btotty, dbecker, hhudgeon, jal233, Jeno, jjoyce, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, mhulan, michel, mmccune, mrunge, pviktori, rchan, rhos-maint, rjerrido, rschiron, sadas, sclewis, security-response-team, sgallagh, sisharma, slavek.kabrda, slinaber, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Django 2.2.3, Django 2.1.10, Django 1.11.22 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An HTTP detection flaw was discovered in Django. If deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme() incorrectly detected client requests made using HTTP as using HTTPS. This resulted in incorrect results for is_secure() and build_absolute_uri(), and HTTP requests were not correctly redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-06 10:31:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1726015, 1729397, 1705025, 1726014, 1726019, 1727691, 1727692, 1727693, 1727694, 1727695, 1727696, 1727697, 1728140 | ||
| Bug Blocks: | 1724530 | ||
|
Description
msiddiqu
2019-06-27 08:24:15 UTC
CVE now unembargoed, have add OSS reference to External References. Acknowledgments: Name: the Django project Upstream: Gavin Wahl External References: https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1726015] Affects: fedora-30 [bug 1726014] Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1727697] Upstream patches: https://github.com/django/django/commit/54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 [master] https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 [2.2.x] https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f [2.1.x] https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050 [1.11.x] Statement: This issue does not affect any versions of python-django as shipped with Red Hat Update Infrastructure for Cloud Providers as the load balancer should not be configured to forward HTTP requests. This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:1324 https://access.redhat.com/errata/RHSA-2020:1324 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12781 This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:4390 https://access.redhat.com/errata/RHSA-2020:4390 |