RHSA-2016:0502 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-django security update

Type/Severity

Security Advisory: Moderate

Topic

An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)

Red Hat would like to thank the Django project for reporting these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 5.0 for RHEL 6 x86_64

Fixes

BZ - 1311431 - CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
BZ - 1311438 - CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade

CVEs

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 5.0 for RHEL 6

SRPM
python-django-1.6.11-5.el6ost.src.rpm	SHA-256: 8eccb3b0557fa0cbe6d898f78f4f8e21a602cc999f13f37aa9821751c55c5c02
x86_64
python-django-1.6.11-5.el6ost.noarch.rpm	SHA-256: 3b4c694e6f58a16aa3796b4625066ec523c8056c55b94726ecd1ee84d16dd6b2
python-django-bash-completion-1.6.11-5.el6ost.noarch.rpm	SHA-256: b929d6f6862cc16e2c4d89faa79b864f4970f80828b03766da72dffe3992b457
python-django-doc-1.6.11-5.el6ost.noarch.rpm	SHA-256: c290470e48fcf3c0e2eab5525e9fa8d3916f1ba7280458ce664f0ca29f5e25cc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories