Bug 1139945 (CVE-2019-12781)

Summary: VUL-0: CVE-2019-12781: python-Django1,python-Django: Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: lnussel, meissner, ncutler, rfrohl, smash_bz, tserong
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/235963/
Whiteboard: CVSSv3:SUSE:CVE-2019-12781:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSSv2:NVD:CVE-2019-12781:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2019-12781:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2019-12781:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-07-01 15:06:07 UTC 
oss-sec
mailing list archives

Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS


CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting 
via HTTPS

================================================================================

When deployed behind a reverse-proxy connecting to Django via HTTPS, 
``django.http.HttpRequest.scheme`` would incorrectly detect client 
requests made via HTTP as using HTTPS. This entails incorrect results 
for ``is_secure()``, and ``build_absolute_uri()``, and that HTTP 
requests would not be redirected to HTTPS in accordance with 
``SECURE_SSL_REDIRECT``.


``HttpRequest.scheme`` now respects ``SECURE_PROXY_SSL_HEADER``, if it 
is configured, and the appropriate header is set on the request, for 
both HTTP and HTTPS requests.


If you deploy Django behind a reverse-proxy that forwards HTTP requests, 
and that connects to Django via HTTPS, be sure to verify that your 
application
correctly handles code paths relying on ``scheme``, ``is_secure()``, 
``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.


Affected supported versions
===========================

* Django master development branch
* Django 2.2 before version 2.2.3
* Django 2.1 before version 2.1.10
* Django 1.11 before version 1.11.22

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch 
and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained 
from the following changesets:


* On the `master branch 
`__
* On the `2.2 release branch 
`__
* On the `2.1 release branch 
`__
* On the `1.11 release branch 
`__


The following releases have been issued:

* Django 1.11.22 (`download Django 1.11.22 
`_ 
| `1.11.22 checksums 
`_)
* Django 2.1.10 (`download Django 2.1.10 
`_ | 
`2.1.10 checksums 
`_)
* Django 2.2.3 (`download Django 2.2.3 
`_ | 
`2.2.3 checksums 
`_)


The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance, Django's GitHub repositories, or the django-developers list.
Please see `our security policies 
`_

for further information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12781
http://seclists.org/oss-sec/2019/q3/1
Comment 1 Alexandros Toptsoglou 2019-07-01 15:07:53 UTC 
Fix for 1.11 branch at [1]

[1] https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
Comment 2 Alexandros Toptsoglou 2019-07-01 15:28:09 UTC 
All codestreams tracked as affected.

OpenSUSE 15.0,15.1 and Factory is also affected
Comment 3 Swamp Workflow Management 2019-07-18 18:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1139945) was mentioned in
https://build.opensuse.org/request/show/716616 Factory / python-Django
Comment 4 Swamp Workflow Management 2019-07-19 12:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1139945) was mentioned in
https://build.opensuse.org/request/show/717077 Factory / python-Django1
Comment 6 Dirk Mueller 2019-07-26 09:11:14 UTC 
Cloud8+Cloud9 is fixed, Cloud7 still missing.
Comment 9 Swamp Workflow Management 2019-08-01 12:20:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1139945) was mentioned in
https://build.opensuse.org/request/show/720192 15.1 / python-Django
Comment 12 Swamp Workflow Management 2019-08-08 19:11:41 UTC 
openSUSE-SU-2019:1839-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
openSUSE Leap 15.1 (src):    python-Django-2.2.4-lp151.2.3.1
Comment 14 Swamp Workflow Management 2019-08-14 13:23:49 UTC 
openSUSE-SU-2019:1872-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-Django-2.2.4-bp151.3.3.1
Comment 16 Jeremy Moffitt 2019-08-21 18:01:49 UTC 
backports are complete, marking resolved
Comment 17 Marcus Meissner 2019-08-22 08:40:33 UTC 
python.Django ius also maintaijned on SES4 and SES5
Comment 19 Ludwig Nussel 2019-08-26 11:58:25 UTC 
python-Django1 is also in Leap
Comment 20 Swamp Workflow Management 2019-09-02 10:32:18 UTC 
SUSE-SU-2019:2257-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.23-3.12.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.23-3.12.1
HPE Helion Openstack 8 (src):    python-Django-1.11.23-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2019-09-09 13:14:17 UTC 
SUSE-SU-2019:2335-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.23-3.9.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.23-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-09-16 13:10:37 UTC 
SUSE-SU-2019:2379-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1139945
CVE References: CVE-2019-12781
Sources used:
SUSE OpenStack Cloud 7 (src):    python-Django-1.8.19-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Tim Serong 2019-11-25 11:43:26 UTC 
Submitted:

https://build.suse.de/request/show/206023 (SES4)
https://build.suse.de/request/show/206025 (SES5)
Comment 25 Nathan Cutler 2019-11-26 22:20:12 UTC 
Fixed in SES5 by https://build.suse.de/request/show/206108

SES4 is no longer supported: Maintenance declined the MR.

SES6 does not ship the package at all.

From a SUSE Enterprise Storage standpoint, there's nothing left to do (correct me if I'm wrong).
Comment 26 Nathan Cutler 2019-11-26 22:34:25 UTC 
> From a SUSE Enterprise Storage standpoint, there's nothing left to do
> (correct me if I'm wrong).

Correcting myself, the SES5 Maintenance Incident - http://merkur.qam.suse.de/incident/13377/ - is still open because:

Missing Fixes
bnc#1120932
bnc#1124991
Comment 27 Nathan Cutler 2019-11-26 22:35:54 UTC 
bnc#1120932 is CVE-2019-3498
bnc#1124991 is CVE-2019-6975
Comment 28 Tim Serong 2019-11-27 07:49:49 UTC 
(In reply to Nathan Cutler from comment #27)
> bnc#1120932 is CVE-2019-3498

The above looks straightforward to backport to django 1.6 for SES5.  Should I do this, and open a new MR?

> bnc#1124991 is CVE-2019-6975

This one I'm not so sure about.  https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227 says that the problem is due to memory usage in '{:f}'.format(), but django 1.6 doesn't use that AFAICT (see the format function in https://github.com/django/django/blob/stable/1.6.x/django/utils/numberformat.py).  Can anyone advise if this one is actually required?

Thanks
Comment 29 Tim Serong 2019-11-27 09:15:45 UTC 
OK, I've opened https://build.suse.de/request/show/206202 for (In reply to Nathan Cutler from comment #27)
> bnc#1120932 is CVE-2019-3498

I've opened https://build.suse.de/request/show/206202 for this one.
Comment 31 Nathan Cutler 2019-11-28 09:28:51 UTC 
Thanks, guys. It looks like the maintenance incident is unblocked now. Release request https://build.suse.de/request/show/206237 is open.
Comment 32 Swamp Workflow Management 2019-11-29 20:11:14 UTC 
SUSE-SU-2019:3127-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1120932,1139945
CVE References: CVE-2019-12781,CVE-2019-3498
Sources used:
SUSE Enterprise Storage 5 (src):    python-Django-1.6.11-6.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Alexandros Toptsoglou 2020-05-04 08:51:01 UTC 
Done