Red Hat Product Errata RHSA-2016:2040 - Security Advisory

Issued:: 2016-10-10
Updated:: 2016-10-10

RHSA-2016:2040 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-django security update

Type/Severity

Security Advisory: Moderate

Topic

An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)

Red Hat would like to thank the upstream Django project for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 6.0 x86_64

Fixes

BZ - 1377376 - CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics

CVEs

CVE-2016-7401

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 6.0

SRPM
python-django-1.6.11-6.el7ost.src.rpm	SHA-256: b8c29b2c29937824d1b8e2ceef19e76b0a5691008261ca12cb16dc31e0c61f05
x86_64
python-django-1.6.11-6.el7ost.noarch.rpm	SHA-256: bfd02cbdaa8be4298909d52530a829ebd1863002665e250a7b6368870a220a14
python-django-bash-completion-1.6.11-6.el7ost.noarch.rpm	SHA-256: b37b8eed378e9ac1820e4c097f1efe645fbebdff481ce50f467ec528b954bfd3
python-django-doc-1.6.11-6.el7ost.noarch.rpm	SHA-256: c131c00ca6053a18086175133a88b6f96705f8052d869b3cdf7c69b156f2d5dd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories