Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <BCE707AC-83ED-4812-9759-3992110405AD@gmail.com>
Date: Mon, 3 Jun 2019 13:21:10 +0200
From: Carlton Gibson <carlton.gibson@...il.com>
To: oss-security@...ts.openwall.com
Subject: Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled
 jQuery for CVE-2019-11358)

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 1.11.21
<https://docs.djangoproject.com/en/dev/releases/1.11.21/>`_, `Django 2.1.9
<https://docs.djangoproject.com/en/dev/releases/2.1.9/>`_, and `Django 2.2.2
<https://docs.djangoproject.com/en/dev/releases/2.2.2/>`_. These releases
addresses the security issues detailed below. We encourage all users of Django
to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS
=======================================

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using ``URLValidator``
before displaying the clickable link. You may customise the validator by
passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g.
when using ``ModelAdmin.formfield_overrides``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9
* Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
==============================================================

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9

Resolution
==========

Patches to resolve these issues have been applied to Django's master branch and
the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the
following changesets:

On the master branch:

* `Admin XSS <https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f>`__

On the 2.2 release branch:

* `Admin XSS <https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad>`__

On the 2.1 release branch:

* `Admin XSS <https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829>`__

On the 1.11 release branch:

* `Admin XSS <https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b>`__

The following releases have been issued:

* Django 1.11.21 (`download Django 1.11.21 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.21.tar.gz>`_ | `1.11.21 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.21.checksum.txt>`_)
* Django 2.1.9 (`download Django 2.1.9 <https://www.djangoproject.com/m/releases/2.1/Django-2.1.9.tar.gz>`_ | `2.1.9 checksums <https://www.djangoproject.com/m/pgp/Django-2.1.9.checksum.txt>`_)
* Django 2.2.2 (`download Django 2.2.2 <https://www.djangoproject.com/m/releases/2.1/Django-2.2.2.tar.gz>`_ | `2.2.2 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.2.checksum.txt>`_)


The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@...ngoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.