Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. Affected versions: * Django master development branch * Django 1.11 (currently at release candidate status) * Django 1.10 * Django 1.9 * Django 1.8
Acknowledgments: Name: the Django project
Created attachment 1267353 [details] Upstream patch 1.10.x
Created attachment 1267354 [details] Upstream patch 1.8.x
Created attachment 1267355 [details] Upstream patch 1.9.x
Created attachment 1267356 [details] Upstream patch 1.11.x
Created attachment 1267357 [details] Upstream patch master
Public via: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
Created attachment 1269476 [details] Backport to 1.6.11
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:1462 https://access.redhat.com/errata/RHSA-2017:1462
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2017:1451 https://access.redhat.com/errata/RHSA-2017:1451
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2017:1445 https://access.redhat.com/errata/RHSA-2017:1445
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2017:1470 https://access.redhat.com/errata/RHSA-2017:1470
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:1596 https://access.redhat.com/errata/RHSA-2017:1596
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1488635] Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1488634] Affects: fedora-all [bug 1488636]
This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2017:3093 https://access.redhat.com/errata/RHSA-2017:3093
Statement: This issue affects the versions of python-django as shipped with Red Hat Satellite 6. Please note that python-django, as used by Pulp does not make use of the Pulp doesn't use "is_safe_url" directly or the "i18n" views or the "django.contrib.auth" Login view. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927