Issued:: 2020-04-06
Updated:: 2020-04-06

RHSA-2020:1324 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-django security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for python-django is now available for Red Hat OpenStack Platform
15 (Stein).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

Incorrect HTTP detection with reverse-proxy connecting via HTTPS

(CVE-2019-12781)

backtracking in a regular expression in django.utils.text.Truncator leads

to DoS (CVE-2019-14232)

the behavior of the underlying HTMLParser leading to DoS (CVE-2019-14233)
SQL injection possibility in key and index lookups for

JSONField/HStoreField (CVE-2019-14234)

Potential memory exhaustion in django.utils.encoding.uri_to_iri()

(CVE-2019-14235)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack for IBM Power 15 ppc64le
Red Hat OpenStack 15 x86_64

Fixes

BZ - 1724497 - CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
BZ - 1734405 - CVE-2019-14232 Django: backtracking in a regular expression in django.utils.text.Truncator leads to DoS
BZ - 1734410 - CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS
BZ - 1734417 - CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
BZ - 1734422 - CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack for IBM Power 15

SRPM
python-django-2.1.11-1.el8ost.src.rpm	SHA-256: 7915c49bf0f5f6a940155bb57059b0df72e8f356d2cfc35cbd88db4e00ea97c7
ppc64le
python-django-bash-completion-2.1.11-1.el8ost.noarch.rpm	SHA-256: 36f140ce221d72a12efc04c8fbd2b1a2debb83b09bb4960ec2173b6af878cc76
python3-django-2.1.11-1.el8ost.noarch.rpm	SHA-256: c66d6df9f5b0e3b04923a8accbb403bab903fad3277a7a145280ba0c78dd7150

Red Hat OpenStack 15

SRPM
python-django-2.1.11-1.el8ost.src.rpm	SHA-256: 7915c49bf0f5f6a940155bb57059b0df72e8f356d2cfc35cbd88db4e00ea97c7
x86_64
python-django-bash-completion-2.1.11-1.el8ost.noarch.rpm	SHA-256: 36f140ce221d72a12efc04c8fbd2b1a2debb83b09bb4960ec2173b6af878cc76
python3-django-2.1.11-1.el8ost.noarch.rpm	SHA-256: c66d6df9f5b0e3b04923a8accbb403bab903fad3277a7a145280ba0c78dd7150

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation