python2-django

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 1.11.20-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-882 1.11.18-1 1.11.19-1 Medium Fixed
AVG-838 1.11.17-1 1.11.18-1 Medium Fixed
AVG-774 1.11.15-1 Medium Not affected
AVG-746 1.11.13-1 1.11.15-1 Medium Fixed
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2019-6975 AVG-882 Medium Yes Denial of service
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows uncontrolled memory consumption via a malicious attacker- supplied value to...
CVE-2019-3498 AVG-838 Medium Yes Content spoofing
A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content...
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2018-16984 AVG-774 Medium Yes Information disclosure
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but...
CVE-2018-14574 AVG-746 Medium Yes Open redirect
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...

Advisories

Date Advisory Group Severity Description
12 Feb 2019 ASA-201902-15 AVG-882 Medium denial of service
11 Jan 2019 ASA-201901-7 AVG-838 Medium content spoofing
03 Aug 2018 ASA-201808-3 AVG-746 Medium open redirect
06 Mar 2018 ASA-201803-6 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-1 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-14 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-12 AVG-35 Medium cross-site request forgery