==================================================================== CERT-Renater Note d'Information No. 2019/VULN040 _____________________________________________________________________ DATE : 04/06/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Django versions prior to  2.2.2, 2.1.9 and 1.11.21 ===================================================================== https://www.djangoproject.com/weblog/2019/jun/03/security-releases/ _____________________________________________________________________ In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2019-12308: AdminURLFieldWidget XSS The clickable "Current URL" link generated by AdminURLFieldWidget displayed  the provided value without validating it as a safe URL. Thus, an unvalidated  value stored in the database, or a value provided as a URL query parameter  payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides. Affected versions Django master development branch Django 2.2 before version 2.2.2 Django 2.1 before version 2.1.9 Django 1.11 before version 1.11.21 Patched bundled jQuery for CVE-2019-11358: Prototype pollution jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of  Object.prototype pollution. If an unsanitized source object contained an  enumerable __proto__ property, it could extend the native Object.prototype. The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend(). Affected versions Django master development branch Django 2.2 before version 2.2.2 Django 2.1 before version 2.1.9 Resolution Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch: Admin XSS jQuery prototype pollution On the 2.2 release branch: Admin XSS jQuery prototype pollution On the 2.1 release branch: Admin XSS jQuery prototype pollution On the 1.11 release branch: Admin XSS The following releases have been issued: Django 1.11.21 (download Django 1.11.21 | 1.11.21 checksums) Django 2.1.9 (download Django 2.1.9 | 2.1.9 checksums) Django 2.2.2 (download Django 2.2.2 | 2.2.2 checksums) The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. ========================================================= + CERT-RENATER        | tel : 01-53-94-20-44            + + 23/25 Rue Daviel    | fax : 01-53-94-20-41            + + 75013 Paris         | email:cert@support.renater.fr   + =========================================================