Cleartext Transmission of Sensitive Information Affecting py3-django package, versions <1.11.22-r0

Note: Versions mentioned in the description apply only to the upstream py3-django package and not the py3-django package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

• http://www.securityfocus.com/bid/109018
• https://seclists.org/bugtraq/2019/Jul/10
• https://security.netapp.com/advisory/ntap-20190705-0002/
• https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781
• https://www.debian.org/security/2019/dsa-4476
• https://security-tracker.debian.org/tracker/CVE-2019-12781
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/
• https://docs.djangoproject.com/en/dev/releases/security/
• https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ
• http://www.openwall.com/lists/oss-security/2019/07/01/3
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
• https://usn.ubuntu.com/4043-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12781
• https://groups.google.com/forum/#%21topic/django-announce/Is4kLY9ZcZQ
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/