====================================================================
CERT-Renater
Note d'Information No. 2019/VULN196
_____________________________________________________________________
DATE : 01/07/2019
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Django versions prior to 2.2.3,
2.1.10, 1.11.22.
=====================================================================
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
_____________________________________________________________________
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
In accordance with `our security release policy
`_, the
Django team is issuing `Django 1.11.22
`_,
`Django 2.1.10
`_, and
`Django 2.2.3 `_.
These releases addresses the security issues detailed below.
We encourage all users of Django to upgrade as soon as possible.
Thanks Gavin Wahl for reporting this issue.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting
via HTTPS
================================================================================
When deployed behind a reverse-proxy connecting to Django via HTTPS,
``django.http.HttpRequest.scheme`` would incorrectly detect client
requests made via HTTP as using HTTPS. This entails incorrect results
for ``is_secure()``, and ``build_absolute_uri()``, and that HTTP
requests would not be redirected to HTTPS in accordance with
``SECURE_SSL_REDIRECT``.
``HttpRequest.scheme`` now respects ``SECURE_PROXY_SSL_HEADER``, if it
is configured, and the appropriate header is set on the request, for
both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests,
and that connects to Django via HTTPS, be sure to verify that your
application correctly handles code paths relying on ``scheme``,
``is_secure()``, ``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
Affected supported versions
===========================
* Django master development branch
* Django 2.2 before version 2.2.3
* Django 2.1 before version 2.1.10
* Django 1.11 before version 1.11.22
Resolution
==========
Patches to resolve the issue have been applied to Django's master branch
and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained
from the following changesets:
* On the `master branch
`__
* On the `2.2 release branch
`__
* On the `2.1 release branch
`__
* On the `1.11 release branch
`__
The following releases have been issued:
* Django 1.11.22 (`download Django 1.11.22
`_
| `1.11.22 checksums
`_) *
Django 2.1.10 (`download Django 2.1.10
`_ |
`2.1.10 checksums
`_) *
Django 2.2.3 (`download Django 2.2.3
`_ |
`2.2.3 checksums
`_)
The PGP key ID used for this release is Mariusz Felisiak:
2EF56372BA48CD1B.
General notes regarding security reporting
==========================================
As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance, Django's GitHub repositories, or the django-developers
list.
Please see `our security policies
`_
for further information.
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================