Control: retitle -1 python-django: CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
On Mon, Jul 01, 2019 at 08:36:06PM +0200, Salvatore Bonaccorso wrote: > Source: python-django > Version: 1:1.11.21-1 > Severity: grave > Tags: security upstream > Justification: user security hole > Control: found -1 2:2.2.1-1 > Control: found -1 1:1.10.7-2+deb9u4 > Control: found -1 1:1.10.7-1 This is correct. > CVE-2019-12308[0]: > | An issue was discovered in Django 1.11 before 1.11.21, 2.1 before > | 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed > | by the AdminURLFieldWidget displays the provided value without > | validating it as a safe URL. Thus, an unvalidated value stored in the > | database, or a value provided as a URL query parameter payload, could > | result in an clickable JavaScript link. This was plain wrong for this bugreport, apologies for that. This bug is meant to track the following CVE: CVE-2019-12781[0] | Incorrect HTTP detection with reverse-proxy connecting via HTTPS as per [1]. [0] https://security-tracker.debian.org/tracker/CVE-2019-12781 [1] https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ Please do ignore the above CVE description which belongs to another issue already fixed for python-django. Regards, Salvatore