Advisories » MGASA-2019-0035

Updated python-django packages fix security vulnerability

Publication date: 11 Jan 2019
Modification date: 11 Jan 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-3498

Description

An upstream patch has been backported to fix a security vulnerability in
python-django. CVE-2019-3498: Content spoofing possibility in the
default 404 page

An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated by the
django.views.defaults.page_not_found() view. The URL path is no longer
displayed in the default 404 template and the request_path context 
variable is now quoted to fix the issue for custom templates that use
the path.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24128
• https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
• https://security-tracker.debian.org/tracker/CVE-2019-3498
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498

SRPMS

6/core

• python-django-1.8.19-1.1.mga6