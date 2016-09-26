-----BEGIN PGP SIGNED MESSAGE-----

Debian Security Advisory DSA-3678-1

https://www.debian.org/security/ Florian Weimer

September 26, 2016

Package : python-django

CVE ID : CVE-2016-7401



Sergey Bobrov discovered that cookie parsing in Django and Google

Analytics interacted such a way that an attacker could set arbitrary

cookies. This allows other malicious web sites to bypass the

Cross-Site Request Forgery (CSRF) protections built into Django.



For the stable distribution (jessie), this problem has been fixed in

version 1.7.11-1+deb8u1.



For the unstable distribution (sid), this problem has been fixed in

version 1:1.10-1.



We recommend that you upgrade your python-django packages.



