Bugzilla – Bug 1139945
VUL-0: CVE-2019-12781: python-Django1,python-Django: Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Last modified: 2020-05-04 08:51:01 UTC
oss-sec mailing list archives Django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS ================================================================================ When deployed behind a reverse-proxy connecting to Django via HTTPS, ``django.http.HttpRequest.scheme`` would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for ``is_secure()``, and ``build_absolute_uri()``, and that HTTP requests would not be redirected to HTTPS in accordance with ``SECURE_SSL_REDIRECT``. ``HttpRequest.scheme`` now respects ``SECURE_PROXY_SSL_HEADER``, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests. If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on ``scheme``, ``is_secure()``, ``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``. Affected supported versions =========================== * Django master development branch * Django 2.2 before version 2.2.3 * Django 2.1 before version 2.1.10 * Django 1.11 before version 1.11.22 Resolution ========== Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: * On the `master branch `__ * On the `2.2 release branch `__ * On the `2.1 release branch `__ * On the `1.11 release branch `__ The following releases have been issued: * Django 1.11.22 (`download Django 1.11.22 `_ | `1.11.22 checksums `_) * Django 2.1.10 (`download Django 2.1.10 `_ | `2.1.10 checksums `_) * Django 2.2.3 (`download Django 2.2.3 `_ | `2.2.3 checksums `_) The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B. General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see `our security policies `_ for further information. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12781 http://seclists.org/oss-sec/2019/q3/1
Fix for 1.11 branch at [1] [1] https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050
All codestreams tracked as affected. OpenSUSE 15.0,15.1 and Factory is also affected
This is an autogenerated message for OBS integration: This bug (1139945) was mentioned in https://build.opensuse.org/request/show/716616 Factory / python-Django
This is an autogenerated message for OBS integration: This bug (1139945) was mentioned in https://build.opensuse.org/request/show/717077 Factory / python-Django1
Cloud8+Cloud9 is fixed, Cloud7 still missing.
This is an autogenerated message for OBS integration: This bug (1139945) was mentioned in https://build.opensuse.org/request/show/720192 15.1 / python-Django
openSUSE-SU-2019:1839-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: openSUSE Leap 15.1 (src): python-Django-2.2.4-lp151.2.3.1
Dirk submitted a fix for the Cloud7 backport, see: https://build.opensuse.org/package/rdiff/Cloud:OpenStack:Newton/python-Django?linkrev=base&rev=12 (or https://build.opensuse.org/package/show/Cloud:OpenStack:Newton/python-Django for the base package)
openSUSE-SU-2019:1872-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: openSUSE Backports SLE-15-SP1 (src): python-Django-2.2.4-bp151.3.3.1
backports are complete, marking resolved
python.Django ius also maintaijned on SES4 and SES5
python-Django1 is also in Leap
SUSE-SU-2019:2257-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud 8 (src): python-Django-1.11.23-3.12.1 HPE Helion Openstack 8 (src): python-Django-1.11.23-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2335-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1136468,1139945,1142880,1142882,1142883,1142885 CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Django1-1.11.23-3.9.1 SUSE OpenStack Cloud 9 (src): python-Django1-1.11.23-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2379-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1139945 CVE References: CVE-2019-12781 Sources used: SUSE OpenStack Cloud 7 (src): python-Django-1.8.19-3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted: https://build.suse.de/request/show/206023 (SES4) https://build.suse.de/request/show/206025 (SES5)
Fixed in SES5 by https://build.suse.de/request/show/206108 SES4 is no longer supported: Maintenance declined the MR. SES6 does not ship the package at all. From a SUSE Enterprise Storage standpoint, there's nothing left to do (correct me if I'm wrong).
> From a SUSE Enterprise Storage standpoint, there's nothing left to do > (correct me if I'm wrong). Correcting myself, the SES5 Maintenance Incident - http://merkur.qam.suse.de/incident/13377/ - is still open because: Missing Fixes bnc#1120932 bnc#1124991
bnc#1120932 is CVE-2019-3498 bnc#1124991 is CVE-2019-6975
(In reply to Nathan Cutler from comment #27) > bnc#1120932 is CVE-2019-3498 The above looks straightforward to backport to django 1.6 for SES5. Should I do this, and open a new MR? > bnc#1124991 is CVE-2019-6975 This one I'm not so sure about. https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227 says that the problem is due to memory usage in '{:f}'.format(), but django 1.6 doesn't use that AFAICT (see the format function in https://github.com/django/django/blob/stable/1.6.x/django/utils/numberformat.py). Can anyone advise if this one is actually required? Thanks
OK, I've opened https://build.suse.de/request/show/206202 for (In reply to Nathan Cutler from comment #27) > bnc#1120932 is CVE-2019-3498 I've opened https://build.suse.de/request/show/206202 for this one.
Thanks, guys. It looks like the maintenance incident is unblocked now. Release request https://build.suse.de/request/show/206237 is open.
SUSE-SU-2019:3127-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1120932,1139945 CVE References: CVE-2019-12781,CVE-2019-3498 Sources used: SUSE Enterprise Storage 5 (src): python-Django-1.6.11-6.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done