RHSA-2016:0504 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-django security update

Type/Severity

Security Advisory: Moderate

Topic

An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)

Red Hat would like to thank the Django project for reporting these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 7 x86_64

Fixes

BZ - 1311431 - CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
BZ - 1311438 - CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade

CVEs

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 7

SRPM
python-django-1.8.11-1.el7ost.src.rpm	SHA-256: 2c8ae2efd8f96da4f849b6db19bc5c4fd0eb69763a723501f9d780e377f0029c
x86_64
python-django-1.8.11-1.el7ost.noarch.rpm	SHA-256: 97ea841dd773bacbdd3483ab4b8e0f973f0067e9a43d430eb46a0d7fb36cf280
python-django-bash-completion-1.8.11-1.el7ost.noarch.rpm	SHA-256: 4150ae8da3288401164510d19a04d4c8fe396a093a73c8701b454834e3a2b61f
python-django-doc-1.8.11-1.el7ost.noarch.rpm	SHA-256: e4a8381955ee6d9f3b8374eae26813f77e3c88e81a1f2a37226ed9fa00e423df

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories