ASA-201907-2 log generated external raw

[ASA-201907-2] python-django: silent downgrade
Arch Linux Security Advisory ASA-201907-2 ========================================= Severity: High Date : 2019-07-06 CVE-ID : CVE-2019-12781 Package : python-django Type : silent downgrade Remote : Yes Link : Summary ======= The package python-django before version 2.2.3-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 2.2.3-1. # pacman -Syu "python-django>=2.2.3-1" The problem has been fixed upstream in version 2.2.3. Workaround ========== None. Description =========== An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Impact ====== A remote attacker is able to perform a man-in-the-middle attack if a HTTP request is not redirected to HTTPS. References ==========