Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 3 Jun 2019 13:21:10 +0200
From: Carlton Gibson <carlton.gibson@...il.com>
To: oss-security@...ts.openwall.com
Subject: Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled
 jQuery for CVE-2019-11358)

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 1.11.21
<https://docs.djangoproject.com/en/dev/releases/1.11.21/>`_, `Django 2.1.9
<https://docs.djangoproject.com/en/dev/releases/2.1.9/>`_, and `Django 2.2.2
<https://docs.djangoproject.com/en/dev/releases/2.2.2/>`_. These releases
addresses the security issues detailed below. We encourage all users of Django
to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS
=======================================

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using ``URLValidator``
before displaying the clickable link. You may customise the validator by
passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g.
when using ``ModelAdmin.formfield_overrides``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9
* Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
==============================================================

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9

Resolution
==========

Patches to resolve these issues have been applied to Django's master branch and
the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the
following changesets:

On the master branch:

* `Admin XSS <https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f>`__

On the 2.2 release branch:

* `Admin XSS <https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad>`__

On the 2.1 release branch:

* `Admin XSS <https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829>`__

On the 1.11 release branch:

* `Admin XSS <https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b>`__

The following releases have been issued:

* Django 1.11.21 (`download Django 1.11.21 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.21.tar.gz>`_ | `1.11.21 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.21.checksum.txt>`_)
* Django 2.1.9 (`download Django 2.1.9 <https://www.djangoproject.com/m/releases/2.1/Django-2.1.9.tar.gz>`_ | `2.1.9 checksums <https://www.djangoproject.com/m/pgp/Django-2.1.9.checksum.txt>`_)
* Django 2.2.2 (`download Django 2.2.2 <https://www.djangoproject.com/m/releases/2.1/Django-2.2.2.tar.gz>`_ | `2.2.2 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.2.checksum.txt>`_)


The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@...ngoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.