Bug#946011: python-django: CVE-2019-19118
Hi Chris, On Tue, Dec 03, 2019 at 09:25:42PM +0100, Chris Lamb wrote: > Dear Salvatore, > > > > Security team, would you like an upload for stable? > > > > As far I can see this issue has been introduced around 2.1 where the > > search support for view permissions and a read-only admin support was > > added. […] > > Upon further inspection that is my reading too. I was being overly- > cautious in assuming that it was vulnerable without doing any checking > first, thus leading to this noise (for which I apologise). > > I have updated data/dla-needed.txt and data/CVE/list to match. Thanks for double-checking and confirming! Regards, Salvatore
Bug#946011: python-django: CVE-2019-19118
Dear Salvatore, > > Security team, would you like an upload for stable? > > As far I can see this issue has been introduced around 2.1 where the > search support for view permissions and a read-only admin support was > added. […] Upon further inspection that is my reading too. I was being overly- cautious in assuming that it was vulnerable without doing any checking first, thus leading to this noise (for which I apologise). I have updated data/dla-needed.txt and data/CVE/list to match. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#946011: python-django: CVE-2019-19118
Hi Chris, On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote: > Chris Lamb wrote: > > > Package: python-django > > Version: 1.7.11-1+deb8u7 > […] > > CVE-2019-19118[0]: > > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model > > | editing. A Django model admin displaying inline related models, where > > | the user has view-only permissions to a parent model but edit > > | permissions to the inline model, would be presented with an editing > > | UI, allowing POST requests, for updating the inline model. Directly > > | editing the view-only parent model was not possible, but the parent > > | model's save() method was called, triggering potential side effects, > > | and causing pre and post-save signal handlers to be invoked. (To > > | resolve this, the Django admin is adjusted to require edit permissions > > | on the parent model in order for inline models to be editable.) > > Security team, would you like an upload for stable? As far I can see this issue has been introduced around 2.1 where the surch support for view permissions and a read-only admin support was added. Before that the issue does not seem to be present and as such not affecting buster, nor stretch or older. I have updated this bug with some metadata with that regard. Can you confirm this assessment? Regards, Salvatore
Bug#946011: python-django: CVE-2019-19118
Chris Lamb wrote: > Package: python-django > Version: 1.7.11-1+deb8u7 […] > CVE-2019-19118[0]: > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model > | editing. A Django model admin displaying inline related models, where > | the user has view-only permissions to a parent model but edit > | permissions to the inline model, would be presented with an editing > | UI, allowing POST requests, for updating the inline model. Directly > | editing the view-only parent model was not possible, but the parent > | model's save() method was called, triggering potential side effects, > | and causing pre and post-save signal handlers to be invoked. (To > | resolve this, the Django admin is adjusted to require edit permissions > | on the parent model in order for inline models to be editable.) Security team, would you like an upload for stable? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#946011: python-django: CVE-2019-19118
Package: python-django Version: 1.7.11-1+deb8u7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2019-19118[0]: | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model | editing. A Django model admin displaying inline related models, where | the user has view-only permissions to a parent model but edit | permissions to the inline model, would be presented with an editing | UI, allowing POST requests, for updating the inline model. Directly | editing the view-only parent model was not possible, but the parent | model's save() method was called, triggering potential side effects, | and causing pre and post-save signal handlers to be invoked. (To | resolve this, the Django admin is adjusted to require edit permissions | on the parent model in order for inline models to be editable.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19118 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-