In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. Reference: https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1843620] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1843616] Affects: fedora-all [bug 1843617] Affects: openstack-rdo [bug 1843619] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1843618]
External References: https://www.djangoproject.com/weblog/2020/jun/03/security-releases
Upstream patches: https://github.com/django/django/commit/2c82414914ae6476be5a166be9ff49c24d0d9069 https://github.com/django/django/commit/229c9c6653356a0bc23846d83b2d4b5d0438a145
Created python2-django1.11 tracking bugs for this issue: Affects: fedora-all [bug 1845442]
Statement: Red Hat Satellite 6 ships affected python-django, however, it does not use memcached implementation in product code hence not vulnerable to this flaw. Red Hat Update Infrastructure 3 ships an affected version of python-django, however it does not use memcached as a cache backend and it is not vulnerable to this flaw. Red Hat Ceph Storage(RHCS) ships an affected version of python-django used with calamari and graphite which are no longer supported, hence the django package will not be fixed for RHCS.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:0915 https://access.redhat.com/errata/RHSA-2021:0915
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13254
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2021:0933 https://access.redhat.com/errata/RHSA-2021:0933