Issued:: 2020-10-28
Updated:: 2020-10-28

RHSA-2020:4390 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-django security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for python-django is now available for Red Hat OpenStack Platform
13 (Queens).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Security Fix(es):

Incorrect HTTP detection with reverse-proxy connecting via HTTPS

(CVE-2019-12781)

backtracking in a regular expression in django.utils.text.Truncator leads

to DoS (CVE-2019-14232)

the behavior of the underlying HTMLParser leading to DoS (CVE-2019-14233)
SQL injection possibility in key and index lookups for

JSONField/HStoreField (CVE-2019-14234)

Potential memory exhaustion in django.utils.encoding.uri_to_iri()

(CVE-2019-14235)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack for IBM Power 13 ppc64le
Red Hat OpenStack 13 x86_64

Fixes

BZ - 1724497 - CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
BZ - 1734405 - CVE-2019-14232 Django: backtracking in a regular expression in django.utils.text.Truncator leads to DoS
BZ - 1734410 - CVE-2019-14233 Django: the behavior of the underlying HTMLParser leading to DoS
BZ - 1734417 - CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
BZ - 1734422 - CVE-2019-14235 Django: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack for IBM Power 13

SRPM
python-django-1.11.27-1.el7ost.src.rpm	SHA-256: 425d996ef64eb914e8b6602d159d8e2b4d7dfcac2d91d880e0cab93a1c4cb0af
ppc64le
python-django-bash-completion-1.11.27-1.el7ost.noarch.rpm	SHA-256: 18b918d8f5a32e8e92d49a0c185142cda4c13ae2cd7f496144c59c465682ae5f
python2-django-1.11.27-1.el7ost.noarch.rpm	SHA-256: 629f6360934a242c7444af72580cc14d6a93c0b9197caa4315cd854b5b586011

Red Hat OpenStack 13

SRPM
python-django-1.11.27-1.el7ost.src.rpm	SHA-256: 425d996ef64eb914e8b6602d159d8e2b4d7dfcac2d91d880e0cab93a1c4cb0af
x86_64
python-django-bash-completion-1.11.27-1.el7ost.noarch.rpm	SHA-256: 18b918d8f5a32e8e92d49a0c185142cda4c13ae2cd7f496144c59c465682ae5f
python2-django-1.11.27-1.el7ost.noarch.rpm	SHA-256: 629f6360934a242c7444af72580cc14d6a93c0b9197caa4315cd854b5b586011

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation