[ASA-201907-2] python-django: silent downgrade
Arch Linux Security Advisory ASA-201907-2 ========================================= Severity: High Date : 2019-07-06 CVE-ID : CVE-2019-12781 Package : python-django Type : silent downgrade Remote : Yes Link : https://security.archlinux.org/AVG-1000 Summary ======= The package python-django before version 2.2.3-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 2.2.3-1. # pacman -Syu "python-django>=2.2.3-1" The problem has been fixed upstream in version 2.2.3. Workaround ========== None. Description =========== An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Impact ====== A remote attacker is able to perform a man-in-the-middle attack if a HTTP request is not redirected to HTTPS. References ========== https://docs.djangoproject.com/en/2.2/releases/2.2.3/ https://www.openwall.com/lists/oss-security/2019/07/01/3 https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e... https://security.archlinux.org/CVE-2019-12781
participants (1)
-
Morten Linderud