Overview

File _patchinfo of Package patchinfo.7935

<patchinfo incident="7935">
<issue tracker="bnc" id="1083305" />
<issue tracker="bnc" id="1083304" />
<issue tracker="bnc" id="1001374" />
<issue tracker="bnc" id="968000" />
<issue tracker="bnc" id="1008050" />
<issue tracker="bnc" id="1008047" />
<issue tracker="bnc" id="1031451" />
<issue tracker="bnc" id="1031450" />
<issue tracker="bnc" id="967999" /> 
<issue id="1056284" tracker="bnc">VUL-0: CVE-2017-12794: python-Django: Fixed XSS possibility in traceback section of technical 500 debug page.</issue>
  <issue id="2017-7234" tracker="cve" />
  <issue id="2016-7401" tracker="cve" />
  <issue id="2016-2513" tracker="cve" />
  <issue id="2016-2512" tracker="cve" />
  <issue id="2017-7233" tracker="cve" />
  <issue id="2016-9013" tracker="cve" />
  <issue id="2016-6186" tracker="cve" />
  <issue id="2016-9014" tracker="cve" />
  <issue id="2018-7536" tracker="cve" />
  <issue id="2018-7537" tracker="cve" />
  <issue id="2016-2048" tracker="cve" />
  <issue id="2017-12794" tracker="cve" />

  <category>security</category>
  <rating>moderate</rating>
  <packager>AndreasStieger</packager>
  <description>This update for python-Django to version 1.18.18 fixes multiple issues.
    
Security issues fixed:
    
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters (bsc#1083304).
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374).
- CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade (bsc#968000).
- CVE-2016-2512: Fixed malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth (bsc#967999).
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050).
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047).
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451).
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450).
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
</description>
  <summary>Security update for python-Django</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places