advisories/24128.adv

type: security
subject: Updated python-django packages fix security vulnerability
CVE:
 - CVE-2019-3498
src:
  6:
   core:
     - python-django-1.8.19-1.1.mga6
description: |
  An upstream patch has been backported to fix a security vulnerability in
  python-django. CVE-2019-3498: Content spoofing possibility in the
  default 404 page

  An attacker could craft a malicious URL that could make spoofed content
  appear on the default page generated by the
  django.views.defaults.page_not_found() view. The URL path is no longer
  displayed in the default 404 template and the request_path context 
  variable is now quoted to fix the issue for custom templates that use
  the path.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24128
 - https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
 - https://security-tracker.debian.org/tracker/CVE-2019-3498
ID: MGASA-2019-0035
1	type: security
2	subject: Updated python-django packages fix security vulnerability
3	CVE:
4	- CVE-2019-3498
5	src:
6	6:
7	core:
8	- python-django-1.8.19-1.1.mga6
9	description: \|
10	An upstream patch has been backported to fix a security vulnerability in
11	python-django. CVE-2019-3498: Content spoofing possibility in the
12	default 404 page
13
14	An attacker could craft a malicious URL that could make spoofed content
15	appear on the default page generated by the
16	django.views.defaults.page_not_found() view. The URL path is no longer
17	displayed in the default 404 template and the request_path context
18	variable is now quoted to fix the issue for custom templates that use
19	the path.
20	references:
21	- https://bugs.mageia.org/show_bug.cgi?id=24128
22	- https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
23	- https://security-tracker.debian.org/tracker/CVE-2019-3498
24	ID: MGASA-2019-0035