Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ensures query parameters are correctly URL encoded.
Created django:1.6/python-django tracking bugs for this issue:
Affects: fedora-all [bug 1843630]
Created python-django tracking bugs for this issue:
Affects: epel-all [bug 1843626]
Affects: fedora-all [bug 1843627]
Affects: openstack-rdo [bug 1843631]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1843629]
Patches have been applied to Django's master branch and the 3.1, 3.0, and 2.2 release branches.
Master branch: https://github.com/django/django/commit/2dd4d110c159d0c81dff42eaead2c378a0998735
3.1 release branch: https://github.com/django/django/commit/49d7cc19e33a104bb23f7ae1dbb1240b4f6c40f9
3.0 release branch: https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38
2.2 release branch: https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815
Created python2-django1.11 tracking bugs for this issue:
Affects: fedora-all [bug 1845525]
The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw:
* Red Hat Satellite 6
* Red Hat Update Infrastructure 3
* Red Hat OpenStack Platform 13, 15, & 16
* Red Hat Gluster Storage 3
The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS.