PublicDateAtUSN: 2019-01-07
Candidate: CVE-2019-3498
PublicDate: 2019-01-09 23:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498
 https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
 https://ubuntu.com/security/notices/USN-3851-1
Description:
 In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before
 2.1.5, an Improper Neutralization of Special Elements in Output Used by a
 Downstream Component issue exists in
 django.views.defaults.page_not_found(), leading to content spoofing (in a
 404 error page) if a user fails to recognize that a crafted URL has
 malicious content.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918230
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_python-django:
 upstream: https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x)
 upstream: https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (2.1.x)
upstream_python-django: released (1:1.11.18-1)
precise/esm_python-django: DNE
trusty_python-django: released (1.6.11-0ubuntu1.3)
trusty/esm_python-django: released (1.6.11-0ubuntu1.3)
xenial_python-django: released (1.8.7-1ubuntu5.7)
esm-infra/xenial_python-django: released (1.8.7-1ubuntu5.7)
bionic_python-django: released (1:1.11.11-1ubuntu1.2)
cosmic_python-django: released (1:1.11.15-1ubuntu1.1)
devel_python-django: not-affected (1:1.11.18-1ubuntu2)