2.9.1 (Security Fixes)

Owned by Daniel Burckhardt (Unlicensed)
Last updated: Dec 12, 2018 by Felix Bauer
1 min read
  • SEC-131 - Getting issue details... STATUS
      • Category: Customer Security: medium - high
      • Type: Open Redirect
      • Risk: Identity-theft, Phishing, Defacement
      • Summary: A bug in the django-1.11.14 allows an attacker to fool our customers by redirecting them to external/attacker controlled websites
      • For unkown reasons did not get merged into release 2.9.0
      • Is fixed in development by upgrading django and its dependencies to 1.11.16
      • fixed/deployed as hotfix 2.9.2

  • SEC-125 - Getting issue details... STATUS
      • Category: Customer Security: medium- high
      • Type: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
      • Risk: Session-Highjacking, Stolen Payments, Insecure NETS payment
      • Summary: During NETS payment our customer loses his cookies when getting redirected
      • Fix has been reverted, due to a bug and time constraints
      • NETS payment should be treated as insecure
      • fixed/deployed as hotfix 2.9.2