Bug 1781269 (CVE-2019-19118)
| Summary: | CVE-2019-19118 django: privilege escalation in the django admin | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | andrea.manzi, apevec, bbuckingham, bcourt, bkearney, btotty, dbecker, hhudgeon, hvyas, jal233, jjoyce, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, michal.simon, michel, mmccune, mrunge, puebele, pviktori, rchan, rhos-maint, rjerrido, sclewis, sgallagh, sisharma, slavek.kabrda, slinaber, sokeeffe, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-27 09:49:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1781270, 1781271, 1781272, 1781273, 1781312, 1781361, 1807059 | ||
| Bug Blocks: | 1781274 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-12-09 16:50:47 UTC
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1781271] Affects: epel-8 [bug 1781272] Affects: fedora-all [bug 1781270] Affects: openstack-rdo [bug 1781273] This does not affect Django 1.x? Because that's what we ship in EPEL 7. And in the Django module. And in the python2-django1.11 package. This does not affect Django 3.0? Because that's what we ship in Fedora 32 (rawhide). 3.0 is affected as well, according to https://www.openwall.com/lists/oss-security/2019/12/02/1 1.x is probably unsupported at this point, so we would need to find out ourselves. May I ask to open Bugzillas for https://src.fedoraproject.org/modules/django and https://src.fedoraproject.org/rpms/python2-django1.11 ? Created python2-django1.11 tracking bugs for this issue: Affects: fedora-all [bug 1781312] (In reply to Miro Hrončok from comment #3) > 3.0 is affected as well, according to > https://www.openwall.com/lists/oss-security/2019/12/02/1 > > 1.x is probably unsupported at this point, so we would need to find out > ourselves. May I ask to open Bugzillas for > https://src.fedoraproject.org/modules/django and > https://src.fedoraproject.org/rpms/python2-django1.11 ? Please use the following trackers: django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270 python2-django1.11: https://bugzilla.redhat.com/show_bug.cgi?id=1781312 (In reply to Guilherme de Almeida Suckevicz from comment #5) > (In reply to Miro Hrončok from comment #3) > > 3.0 is affected as well, according to > > https://www.openwall.com/lists/oss-security/2019/12/02/1 > > > > 1.x is probably unsupported at this point, so we would need to find out > > ourselves. May I ask to open Bugzillas for > > https://src.fedoraproject.org/modules/django and > > https://src.fedoraproject.org/rpms/python2-django1.11 ? > > Please use the following trackers: > django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270 This is for the nonmodular package. Since the modular one is in completely different version, different upstream and different Fedora maintainer, could you please create a separate bug for the module? Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1781361] External References: https://www.djangoproject.com/weblog/2019/dec/02/security-releases/ Statement: The version of Django shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 is not affected, as edit-permissions are not enabled. RHOSP 13 and 15 are unaffected as the vulnerable code was not yet introduced. Mitigation: This issue can only be resolved by applying updates. Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Pulp2 owns/carries django-1 and in this case not affected by CVE-2019-19118. Pulp3 chose 2.2 because that is Django's Long-Term-Support version. We do *not* carry/own django-2.2, and pick up whatever "latest" is from the repos. Since 2.2.8 has the fix for flaw, and it was released in December, we're already patched here. # Satellite 6.6.2 -- ==> rpm -q --whatrequires python-django pulp-server-2.19.1.1-1.el7sat.noarch ==> rpm -qa | grep django python2-django-1.11.13-1.el7sat.noarch # Satellite 6.7.0 (snap 13) -- ==> rpm -q --whatrequires python-django pulp-server-2.21.0-1.el7sat.noarch ==> rpm -qa | grep django python2-django-1.11.13-1.el7sat.noarch We are not affected in Satellite. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19118 |