Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2262 Django -- possible XSS in traceback section of technical 500 debug page 7 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Django Publisher: FreeBSD Operating System: FreeBSD UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-12794 Original Bulletin: http://www.vuxml.org/freebsd/aaab03be-932d-11e7-92d8-4b26fc968492.html Comment: This advisory references vulnerabilities in products which run on platforms other than FreeBSD. It is recommended that administrators running Django check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- Django -- possible XSS in traceback section of technical 500 debug page Affected packages py27-django110 < 1.10.8 py34-django110 < 1.10.8 py35-django110 < 1.10.8 py36-django110 < 1.10.8 py27-django111 < 1.11.5 py34-django111 < 1.11.5 py35-django111 < 1.11.5 py36-django111 < 1.11.5 Details VuXML ID aaab03be-932d-11e7-92d8-4b26fc968492 Discovery 2017-09-05 Entry 2017-09-06 Django blog: In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with DEBUG = True (which makes this page accessible) in your production settings. [source] References CVE Name CVE-2017-12794 URL https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbDl54x+lLeg9Ub1AQin2A//UFWht0x9Tu481Io3f58pZLYRuTOo+MPX SaLpu66Bp+//wK3WA4l6+tKfVZoH/7ZGE+flYcYLjiWljbRR6BMhDQK1Z/Au6AXq C78bqtdqs1bOScFkhRSayi1z9vJZyZTp0dL1Jq4ICP8WhXqkrq1POlwOj4jLpOLP 8o+iRyqnYy5QhmiR9ny7vqttwsSJlzNP5PM0poB7jkYVEd5asAWyOvX63qFniRdG VUZmBdDJyGY2DuMtpeJSEJeiGvSjLqTWl5w2cfFwEMgfzxLqjUVkwkorxlpYrb7U cFA/+OQ5XUugs59qiWP4OKe5kFFh9lStpgAFuFWjvKYGtDJN5CaI9P85PUHct28x aOjhAbkYyXwvxs5XcxY94Tq+GaosCVWgm9tKXRZ/ULvtoYb4YjDTcEEMGSTwA1JX Ijrcc4V5LG2Df1l20jCw6bxb6/oPvsQyCasLH+eSN9q0TuLPaLMrJ0BzxJoRIi0x 8wc5aY0Ce37uW/c7NoXjW5Lnqa6BubOfEHlFkV/nygQeNDWZQpae+hYPSv0q7rYp P+gQEqeLGb9WycOLECTR2n6UEcyH9g2M/wy0lY0koCoaKI+deJ/E3tx6OxYpUO83 aE1YP1+b+1GGePmN8vq9oZdYVNescwz+JFZxC/GfCapGlyZ18O2AVPoYOWIfmcJ4 zfo5j7fRZpI= =Ks6m -----END PGP SIGNATURE-----