Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) Reference: https://www.openwall.com/lists/oss-security/2019/12/02/1
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1781271] Affects: epel-8 [bug 1781272] Affects: fedora-all [bug 1781270] Affects: openstack-rdo [bug 1781273]
This does not affect Django 1.x? Because that's what we ship in EPEL 7. And in the Django module. And in the python2-django1.11 package. This does not affect Django 3.0? Because that's what we ship in Fedora 32 (rawhide).
3.0 is affected as well, according to https://www.openwall.com/lists/oss-security/2019/12/02/1 1.x is probably unsupported at this point, so we would need to find out ourselves. May I ask to open Bugzillas for https://src.fedoraproject.org/modules/django and https://src.fedoraproject.org/rpms/python2-django1.11 ?
Created python2-django1.11 tracking bugs for this issue: Affects: fedora-all [bug 1781312]
(In reply to Miro Hrončok from comment #3) > 3.0 is affected as well, according to > https://www.openwall.com/lists/oss-security/2019/12/02/1 > > 1.x is probably unsupported at this point, so we would need to find out > ourselves. May I ask to open Bugzillas for > https://src.fedoraproject.org/modules/django and > https://src.fedoraproject.org/rpms/python2-django1.11 ? Please use the following trackers: django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270 python2-django1.11: https://bugzilla.redhat.com/show_bug.cgi?id=1781312
(In reply to Guilherme de Almeida Suckevicz from comment #5) > (In reply to Miro Hrončok from comment #3) > > 3.0 is affected as well, according to > > https://www.openwall.com/lists/oss-security/2019/12/02/1 > > > > 1.x is probably unsupported at this point, so we would need to find out > > ourselves. May I ask to open Bugzillas for > > https://src.fedoraproject.org/modules/django and > > https://src.fedoraproject.org/rpms/python2-django1.11 ? > > Please use the following trackers: > django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270 This is for the nonmodular package. Since the modular one is in completely different version, different upstream and different Fedora maintainer, could you please create a separate bug for the module?
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1781361]
Upstream fix: https://github.com/django/django/commit/11c5e0609bcc0db93809de2a08e0dc3d70b393e4
External References: https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
Statement: The version of Django shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 is not affected, as edit-permissions are not enabled.
RHOSP 13 and 15 are unaffected as the vulnerable code was not yet introduced.
Mitigation: This issue can only be resolved by applying updates. Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Pulp2 owns/carries django-1 and in this case not affected by CVE-2019-19118. Pulp3 chose 2.2 because that is Django's Long-Term-Support version. We do *not* carry/own django-2.2, and pick up whatever "latest" is from the repos. Since 2.2.8 has the fix for flaw, and it was released in December, we're already patched here. # Satellite 6.6.2 -- ==> rpm -q --whatrequires python-django pulp-server-2.19.1.1-1.el7sat.noarch ==> rpm -qa | grep django python2-django-1.11.13-1.el7sat.noarch # Satellite 6.7.0 (snap 13) -- ==> rpm -q --whatrequires python-django pulp-server-2.21.0-1.el7sat.noarch ==> rpm -qa | grep django python2-django-1.11.13-1.el7sat.noarch We are not affected in Satellite.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19118