Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ensures query parameters are correctly URL encoded. Reference: https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1843630] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1843626] Affects: fedora-all [bug 1843627] Affects: openstack-rdo [bug 1843631] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1843629]
External References: https://www.djangoproject.com/weblog/2020/jun/03/security-releases
Patches have been applied to Django's master branch and the 3.1, 3.0, and 2.2 release branches. Master branch: https://github.com/django/django/commit/2dd4d110c159d0c81dff42eaead2c378a0998735 3.1 release branch: https://github.com/django/django/commit/49d7cc19e33a104bb23f7ae1dbb1240b4f6c40f9 3.0 release branch: https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 2.2 release branch: https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815
Created python2-django1.11 tracking bugs for this issue: Affects: fedora-all [bug 1845525]
Statement: The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw: * Red Hat Satellite 6 * Red Hat Update Infrastructure 3 * Red Hat OpenStack Platform 13, 15, & 16 * Red Hat Gluster Storage 3 The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS.