When deployed behind a reverse-proxy connecting to Django via HTTPS, ``django.http.HttpRequest.scheme`` would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for ``is_secure()``, and ``build_absolute_uri()``, and that HTTP requests would not be redirected to HTTPS in accordance with ``SECURE_SSL_REDIRECT``.
CVE now unembargoed, have add OSS reference to External References.
Acknowledgments: Name: the Django project Upstream: Gavin Wahl
External References: https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1726015] Affects: fedora-30 [bug 1726014]
Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1727697]
Upstream patches: https://github.com/django/django/commit/54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 [master] https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 [2.2.x] https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f [2.1.x] https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050 [1.11.x]
Statement: This issue does not affect any versions of python-django as shipped with Red Hat Update Infrastructure for Cloud Providers as the load balancer should not be configured to forward HTTP requests.
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:1324 https://access.redhat.com/errata/RHSA-2020:1324
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12781
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:4390 https://access.redhat.com/errata/RHSA-2020:4390