[Security] Bump django from 1.9 to 2.1.7

[dependabot-preview]

Bumps django from 1.9 to 2.1.7. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2016-9013] null
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

Affected versions: <= 1.8.15, >= 1.8.0; <= 1.9.10, >= 1.9.0; <= 1.10.2, >= 1.10.0

Sourced from The Sonatype OSS Index.

[CVE-2016-7401] null
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Affected versions: <= 1.8.14; <= 1.9.9, >= 1.9.0

Sourced from The Sonatype OSS Index.

[CVE-2016-2512] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\[**attacker**](https://github.com/attacker).com.

Affected versions: = 1.8.9; <= 1.9.2, >= 1.9.0

Sourced from The Sonatype OSS Index.

[CVE-2017-7233] URL Redirection to Untrusted Site ("Open Redirect")
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Affected versions: = 1.8.0-a1; <= 1.8.0-b2, >= 1.8.0-b1; = 1.8.0; = 1.8.0-c1; <= 1.8.17, >= 1.8.1; = 1.9.0-a1; = 1.9.0-b1; <= 1.9.0-rc2, >= 1.9.0-rc1; <= 1.9.12, >= 1.9.0; = 1.10.0-a1; = 1.10.0-b1; = 1.10.0-rc1; <= 1.10.6, >= 1.10.0

Sourced from The Sonatype OSS Index.

[CVE-2016-2048] Improper Access Control
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

Affected versions: <= 1.9.1, >= 1.9.0

Sourced from The Sonatype OSS Index.

[CVE-2017-7234] URL Redirection to Untrusted Site ("Open Redirect")
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve() view could redirect to any other domain, aka an open redirect vulnerability.

Affected versions: = 1.8.0-a1; <= 1.8.0-b2, >= 1.8.0-b1; = 1.8.0; = 1.8.0-c1; <= 1.8.17, >= 1.8.1; = 1.9.0-a1; = 1.9.0-b1; <= 1.9.0-rc2, >= 1.9.0-rc1; <= 1.9.12, >= 1.9.0; = 1.10.0-a1; = 1.10.0-b1; = 1.10.0-rc1; <= 1.10.6, >= 1.10.0

Sourced from The Sonatype OSS Index.

[CVE-2016-9014] Permissions, Privileges, and Access Controls
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

Affected versions: <= 1.8.15, >= 1.8.0; <= 1.9.10, >= 1.9.0; <= 1.10.2, >= 1.10.0

Sourced from The Sonatype OSS Index.

[CVE-2016-6186] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Affected versions: <= 1.8.13; = 1.9.0-rc1; <= 1.9.7, >= 1.9.0; = 1.10.0-alpha1; = 1.10.0-beta1

Sourced from The Sonatype OSS Index.

[CVE-2016-2513] Information Exposure
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Affected versions: = 1.8.9; <= 1.9.2, >= 1.9.0

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects django
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

Affected versions: < 1.11.18

Sourced from The Sonatype OSS Index.

[CVE-2016-2048] Improper Access Control
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

Affected versions: >= 1.9.0, <= 1.9.1

Sourced from The Sonatype OSS Index.

[CVE-2017-7234] URL Redirection to Untrusted Site ("Open Redirect")
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve() view could redirect to any other domain, aka an open redirect vulnerability.

Affected versions: = 1.8.0-a1; >= 1.8.0-b1, <= 1.8.0-b2; = 1.8.0; = 1.8.0-c1; >= 1.8.1, <= 1.8.17; = 1.9.0-a1; = 1.9.0-b1; >= 1.9.0-rc1, <= 1.9.0-rc2; >= 1.9.0, <= 1.9.12; = 1.10.0-a1; = 1.10.0-b1; = 1.10.0-rc1; >= 1.10.0, <= 1.10.6

Sourced from The Sonatype OSS Index.

[CVE-2016-2512] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\[**attacker**](https://github.com/attacker).com.

Affected versions: = 1.8.9; >= 1.9.0, <= 1.9.2

Sourced from The Sonatype OSS Index.

[CVE-2016-2513] Information Exposure
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Affected versions: = 1.8.9; >= 1.9.0, <= 1.9.2

Sourced from The Sonatype OSS Index.

[CVE-2016-6186] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Affected versions: <= 1.8.13; = 1.9.0-rc1; >= 1.9.0, <= 1.9.7; = 1.10.0-alpha1; = 1.10.0-beta1

Sourced from The Sonatype OSS Index.

[CVE-2016-9013] null
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

Affected versions: >= 1.8.0, <= 1.8.15; >= 1.9.0, <= 1.9.10; >= 1.10.0, <= 1.10.2

Sourced from The Sonatype OSS Index.

[CVE-2016-7401] null
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Affected versions: <= 1.8.14; >= 1.9.0, <= 1.9.9

Sourced from The Sonatype OSS Index.

[CVE-2017-7233] URL Redirection to Untrusted Site ("Open Redirect")
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Affected versions: = 1.8.0-a1; >= 1.8.0-b1, <= 1.8.0-b2; = 1.8.0; = 1.8.0-c1; >= 1.8.1, <= 1.8.17; = 1.9.0-a1; = 1.9.0-b1; >= 1.9.0-rc1, <= 1.9.0-rc2; >= 1.9.0, <= 1.9.12; = 1.10.0-a1; = 1.10.0-b1; = 1.10.0-rc1; >= 1.10.0, <= 1.10.6

Sourced from The Sonatype OSS Index.

[CVE-2016-9014] Permissions, Privileges, and Access Controls
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

Affected versions: >= 1.8.0, <= 1.8.15; >= 1.9.0, <= 1.9.10; >= 1.10.0, <= 1.10.2

Commits

• dd0aa9d [2.1.x] Bumped version for 2.1.7 release.
• 168bfdd [2.1.x] Refs #30175 -- Added release notes for 2.1.7, 2.0.12, and 1.11.20 rel...
• 79a6e77 [2.1.x] Bumped version for 2.1.6 release.
• 40cd190 [2.1.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat....
• 657bbb1 [2.1.x] Removed extra characters in docs header underlines.
• 5e5ecad [2.1.x] Added stub release notes for security releases.
• 893b80d [2.1.x] Fixed duplicate word in docs/releases/2.0.txt.
• f30467f [2.1.x] Used extlinks for GitHub commits.
• 86f0779 [2.1.x] Corrected output of Prefetch.to_attr example.
• cd21b1a [2.1.x] Fixed E117 and F405 flake8 warnings.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #692.