Bug 1056284 - (CVE-2017-12794) VUL-0: CVE-2017-12794: python-Django: Fixed XSS possibility in traceback section of technical 500 debug page.
(CVE-2017-12794)
VUL-0: CVE-2017-12794: python-Django: Fixed XSS possibility in traceback sect...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE Factory
: P3 - Medium : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/191223/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-30 05:52 UTC by Marcus Meissner
Modified: 2018-04-27 22:38 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
master.diff (9.06 KB, patch)
2017-08-30 05:53 UTC, Marcus Meissner
Details | Diff
1.10.x.diff (7.28 KB, patch)
2017-08-30 05:54 UTC, Marcus Meissner
Details | Diff
1.11.x.diff (8.21 KB, patch)
2017-08-30 05:54 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2017-08-30 05:53:46 UTC
Created attachment 738778 [details]
master.diff

master.diff
Comment 2 Marcus Meissner 2017-08-30 05:54:08 UTC
Created attachment 738779 [details]
1.10.x.diff

1.10.x.diff
Comment 3 Marcus Meissner 2017-08-30 05:54:29 UTC
Created attachment 738780 [details]
1.11.x.diff

1.11.x.diff
Comment 4 Marcus Meissner 2017-08-30 05:56:59 UTC
as 1.8 is not affected, only factory with 1.11.x seems to be .

Please fix after embargoe ends.
Comment 5 Andreas Stieger 2017-09-05 20:15:16 UTC
public at https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with DEBUG = True (which makes this page accessible) in your production settings.

Thanks Charles Bideau for reporting this issue.
Comment 6 Andreas Stieger 2018-02-28 09:32:08 UTC
fixed in Factory
Comment 7 Swamp Workflow Management 2018-02-28 10:30:15 UTC
This is an autogenerated message for OBS integration:
This bug (1056284) was mentioned in
https://build.opensuse.org/request/show/580902 Backports:SLE-12 / python-Django
Comment 9 Swamp Workflow Management 2018-03-23 21:30:23 UTC
This is an autogenerated message for OBS integration:
This bug (1056284) was mentioned in
https://build.opensuse.org/request/show/590768 42.3 / python3-Django
Comment 10 Swamp Workflow Management 2018-03-27 10:08:52 UTC
openSUSE-SU-2018:0824-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python3-Django-1.8.19-5.3.1
Comment 11 Swamp Workflow Management 2018-03-27 10:11:17 UTC
openSUSE-SU-2018:0826-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python-Django-1.8.19-6.4.1
Comment 12 Swamp Workflow Management 2018-04-18 10:13:00 UTC
SUSE-SU-2018:0973-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305
CVE References: CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 7 (src):    python-Django-1.8.19-3.4.1
Comment 13 Swamp Workflow Management 2018-04-27 19:10:14 UTC
SUSE-SU-2018:1102-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999
CVE References: CVE-2016-2512,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 6 (src):    python-Django-1.8.19-3.6.1