ASA-201610-13 log original external raw

[ASA-201610-13] python-django: cross-site request forgery
Arch Linux Security Advisory ASA-201610-13 ========================================== Severity: Medium Date : 2016-10-21 CVE-ID : CVE-2016-7401 Package : python-django Type : cross-site request forgery Remote : Yes Link : https://security.archlinux.org/AVG-35 Summary ======= The package python-django before version 1.10.1-1 is vulnerable to cross-site request forgery. Resolution ========== Upgrade to 1.10.1-1. # pacman -Syu "python-django>=1.10.1-1" The problem has been fixed upstream in version 1.10.1. Workaround ========== None. Description =========== Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Impact ====== A remote attacker is able to perform cross-site request forgery by bypassing the protection under certain circumstances. References ========== https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ https://security.archlinux.org/CVE-2016-7401