[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498) (#9835) · Issues · alpine / aports

[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)

Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content appear on the default page generated
by the django.views.defaults.page_not_found() view.

Fixed In Version:

python-django 1.11.18, python-django 2.0.10, python-django 2.1.5

References:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Patch:

https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a

(from redmine: issue id 9835, created on 2019-01-09, closed on 2019-02-19)

Relations:
- parent #9832 (closed)
Changesets:
- Revision efea0b28 on 2019-02-04T11:27:46Z:

main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)

Fixes #9835

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.