Bug 1077714 (CVE-2018-6188)

Summary: VUL-0: CVE-2018-6188: python-Django: Notice of upcoming Django security releases (2.0.2, 1.11.10)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Ondřej Súkup <mimi.vx>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: rsalevsky, smash_bz, tbechtold
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/199039/
Whiteboard: CVSSv3:RedHat:CVE-2018-6188:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-01-26 08:54:54 UTC
CVE-2018-6188

Date: Thu, 25 Jan 2018 13:06:52 -0500
From: Tim Graham <timograham@gmail.com>
Subject: [security@suse.de] Notice of upcoming Django security releases (2.0.2, 1.11.10)

You're receiving this message because you are on the security
prenotification list for the Django web framework; information about
this list can be found in our security policy [1].

In accordance with that policy, a set of security releases will be
issued on Thursday, February 1, 2018 around 1400 UTC. This message
contains descriptions of the issues, descriptions of the changes which
will be made to Django, and the patches which will be applied to Django.

CVE-2018-6188: Information leakage in AuthenticationForm
========================================================

A regression in Django 1.11.8 made
django.contrib.auth.forms.AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False. If confirm_login_allowed() is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend,
has done that since Django 1.10). This issue will be revisited for
Django 2.1 as a fix to address the caveat will likely be too invasive
for inclusion in older versions.

Affected versions
=================

* Django master development branch
* Django 2.0 and 2.0.1
* Django 1.11.8 and 1.11.9

Resolution
==========

Included with this email is are patches implementing the change described
above for each affected version of Django. On the release date, these
patches will be applied to the Django development repository and the
following releases will be issued along with disclosure of the issues:

* Django 2.0.2
* Django 1.11.10

[1] https://www.djangoproject.com/security/


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6188
Comment 1 Marcus Meissner 2018-01-26 08:55:40 UTC
CRD: 2018-02-01 14:00
Comment 2 Marcus Meissner 2018-01-26 08:59:04 UTC
This does not seem to affected python-Django older than 1.11.8 as it was added there.
Comment 4 Johannes Segitz 2018-02-06 07:19:27 UTC
Public: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/

openSUSE Factory affected, but we have no maintainer there. Would you be willing to take this one?
Comment 5 Thomas Bechtold 2018-02-07 14:02:32 UTC
Done via https://build.opensuse.org/request/show/573722
Comment 6 Thomas Bechtold 2018-02-07 14:07:55 UTC
And for python-Django1: https://build.opensuse.org/request/show/573723
Comment 7 Swamp Workflow Management 2018-02-28 10:30:20 UTC
This is an autogenerated message for OBS integration:
This bug (1077714) was mentioned in
https://build.opensuse.org/request/show/580902 Backports:SLE-12 / python-Django
Comment 8 Swamp Workflow Management 2018-03-01 11:10:08 UTC
This is an autogenerated message for OBS integration:
This bug (1077714) was mentioned in
https://build.opensuse.org/request/show/581630 Backports:SLE-12 / python-Django
Comment 9 Swamp Workflow Management 2018-03-07 17:08:48 UTC
openSUSE-SU-2018:0632-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077714
CVE References: CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-6188
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    python-Django-1.11.10-5.1