Debian 10261 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1842-1: python-django security update

Debian GNU/Linux 9:
DSA 4474-1: firefox-esr security update
DSA 4475-1: openssl security update



DLA 1842-1: python-django security update




Package : python-django
Version : 1.7.11-1+deb8u6
CVE ID : CVE-2019-12308
Debian Bug : #931316

It was discovered that the Django Python web development framework
did not correct identify HTTP connections when a reverse proxy
connected via HTTPS.

When deployed behind a reverse-proxy connecting to Django via HTTPS
django.http.HttpRequest.scheme would incorrectly detect client
requests made via HTTP as using HTTPS. This resulted in incorrect
results for is_secure(), and build_absolute_uri(), and that HTTP
requests would not be redirected to HTTPS in accordance with
SECURE_SSL_REDIRECT.

HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is
configured, and the appropriate header is set on the request, for
both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP
requests, and that connects to Django via HTTPS, be sure to verify
that your application correctly handles code paths relying on scheme,
is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.

For Debian 8 "Jessie", this issue has been fixed in python-django version
1.7.11-1+deb8u6.

We recommend that you upgrade your python-django packages.




DSA 4474-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4474-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2019-11708

A sandbox escape was found in the Mozilla Firefox web browser, which
could potentially result in the execution of arbitrary code if
combined with additional vulnerabilities.

For the stable distribution (stretch), this problem has been fixed in
version 60.7.2esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4475-1: openssl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4475-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2019-1543

Joran Dirk Greef discovered that overly long nonces used with
ChaCha20-Poly1305 were incorrectly processed and could result in nonce
reuse. This doesn't affect OpenSSL-internal uses of ChaCha20-Poly1305
such as TLS.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.0k-1~deb9u1. This DSA also upgrades openssl1.0 (which
itself is not affected by CVE-2019-1543) to 1.0.2s-1~deb9u1

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/