Arch Linux Security Advisory ASA-201610-13 ========================================== Severity: Medium Date : 2016-10-21 CVE-ID : CVE-2016-7401 Package : python-django Type : cross-site request forgery Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package python-django before version 1.10.1-1 is vulnerable to cross-site request forgery. Resolution ========== Upgrade to 1.10.1-1. # pacman -Syu "python-django>=1.10.1-1" The problem has been fixed upstream in version 1.10.1. Workaround ========== None. Description =========== Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Impact ====== A remote attacker is able to perform cross-site request forgery by bypassing the protection under certain circumstances. References ========== https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ https://access.redhat.com/security/cve/CVE-2016-7401