Mehrere Probleme in django
ID: | RHSA-2019:0265-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat Gluster Storage |
Datum: | Mo, 4. Februar 2019, 10:30 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2018-7537
https://access.redhat.com/security/cve/CVE-2018-14574 https://access.redhat.com/security/cve/CVE-2018-7536 |
Applikationen: | Django |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Gluster Storage Web Administration security update Advisory ID: RHSA-2019:0265-01 Product: Red Hat Gluster Storage Advisory URL: https://access.redhat.com/errata/RHSA-2019:0265 Issue date: 2019-02-04 CVE Names: CVE-2018-7536 CVE-2018-7537 CVE-2018-14574 ===================================================================== 1. Summary: Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration Batch Update 3 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7 - noarch Red Hat Gluster 3.4 Web Administration on RHEL-7 - noarch, x86_64 3. Description: Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS. Security Fix(es): * django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536) * django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537) * django: Open redirect possibility in CommonMiddleware (CVE-2018-14574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Django project for reporting CVE-2018-7536 and CVE-2018-7537. Users of Red Hat Gluster Storage Web Administration with Red Hat Gluster Storage are advised to upgrade to this updated package to fix these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' 1549779 - CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' 1609031 - CVE-2018-14574 django: Open redirect possibility in CommonMiddleware 1654338 - tendrl-commons doesn't specify minimal ansible version it requires 1655424 - Need to change graphite db initialization command in tendrl-ansible as per new graphite-web version-1.1.4-1 1655433 - Need to restrict few services port from outside access to web-admin 1658245 - graphite data migration process from graphite-web-0.X.X to graphite-web-1.X.X should done from tendrl-upgrade script 1659678 - Grafana unable to fetch data after updating graphite-web to 1.x.x 1660779 - After migration to graphite-1.1.4 the brick specific dashboards are not visible in grafana 6. Package List: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7: Source: tendrl-commons-1.6.3-15.el7rhgs.src.rpm tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm tendrl-selinux-1.5.4-3.el7rhgs.src.rpm noarch: tendrl-collectd-selinux-1.5.4-3.el7rhgs.noarch.rpm tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm Red Hat Gluster 3.4 Web Administration on RHEL-7: Source: graphite-web-1.1.4-1.el7rhgs.src.rpm python-cachetools-1.0.3-1.1.el7rhgs.src.rpm python-carbon-1.1.4-1.el7rhgs.src.rpm python-django-1.11.15-4.el7rhgs.src.rpm python-django-tagging-0.4.6-1.el7rhgs.src.rpm python-scandir-1.3-1.el7rhgs.src.rpm python-whisper-1.1.4-1.el7rhgs.src.rpm tendrl-ansible-1.6.3-11.el7rhgs.src.rpm tendrl-api-1.6.3-10.el7rhgs.src.rpm tendrl-commons-1.6.3-15.el7rhgs.src.rpm tendrl-monitoring-integration-1.6.3-20.el7rhgs.src.rpm tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm tendrl-selinux-1.5.4-3.el7rhgs.src.rpm noarch: carbon-selinux-1.5.4-3.el7rhgs.noarch.rpm graphite-web-1.1.4-1.el7rhgs.noarch.rpm python-cachetools-1.0.3-1.1.el7rhgs.noarch.rpm python-carbon-1.1.4-1.el7rhgs.noarch.rpm python-django-bash-completion-1.11.15-4.el7rhgs.noarch.rpm python-django-tagging-0.4.6-1.el7rhgs.noarch.rpm python-whisper-1.1.4-1.el7rhgs.noarch.rpm python2-django-1.11.15-4.el7rhgs.noarch.rpm python2-django-doc-1.11.15-4.el7rhgs.noarch.rpm tendrl-ansible-1.6.3-11.el7rhgs.noarch.rpm tendrl-api-1.6.3-10.el7rhgs.noarch.rpm tendrl-api-httpd-1.6.3-10.el7rhgs.noarch.rpm tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm tendrl-grafana-plugins-1.6.3-20.el7rhgs.noarch.rpm tendrl-grafana-selinux-1.5.4-3.el7rhgs.noarch.rpm tendrl-monitoring-integration-1.6.3-20.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm x86_64: python-scandir-1.3-1.el7rhgs.x86_64.rpm python-scandir-debuginfo-1.3-1.el7rhgs.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-7536 https://access.redhat.com/security/cve/CVE-2018-7537 https://access.redhat.com/security/cve/CVE-2018-14574 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is |