Security Information / 2016 / Security Information -- DSA-3678-1 python-django

Debian Security Advisory

DSA-3678-1 python-django -- security update

Date Reported:

26 Sep 2016

Affected Packages:

python-django

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-7401.

More information:

Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies. This allows other malicious web sites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django.

For the stable distribution (jessie), this problem has been fixed in version 1.7.11-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 1:1.10-1.

We recommend that you upgrade your python-django packages.