ASA-201610-13 generated external raw

[ASA-201610-13] python-django: cross-site request forgery
Arch Linux Security Advisory ASA-201610-13 ========================================== Severity: Medium Date : 2016-10-21 CVE-ID : CVE-2016-7401 Package : python-django Type : cross-site request forgery Remote : Yes Link : Summary ======= The package python-django before version 1.10.1-1 is vulnerable to cross-site request forgery. Resolution ========== Upgrade to 1.10.1-1. # pacman -Syu "python-django>=1.10.1-1" The problem has been fixed upstream in version 1.10.1. Workaround ========== None. Description =========== Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Impact ====== A remote attacker is able to perform cross-site request forgery by bypassing the protection under certain circumstances. References ==========