Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 382599 (CVE-2011-4136) - <dev-python/django-1.3.1 multiple vulnerabilities (CVE-2011-{4136,4137,4138,4139,4140})
Summary: <dev-python/django-1.3.1 multiple vulnerabilities (CVE-2011-{4136,4137,4138,4...
Status: RESOLVED FIXED
Alias: CVE-2011-4136
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B3 [noglsa]
Keywords:
: 387665 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-09-11 14:17 UTC by Sean Amoss (RETIRED)
Modified: 2011-10-22 04:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-09-11 14:17:23 UTC
Multiple security flaws have been recently addressed in the v1.3.1 and v1.2.7
versions of the Django Python Web framework:
1, Session manipulation,
2, Denial of service attack via URLField,
3, URLField redirection,
4, Host header cache poisoning,
5, Host header and CSRF,
6, Cross-subdomain CSRF attacks,
7, DEBUG pages and sensitive POST data

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-09-11 15:03:09 UTC
@python is =dev-python/django-1.3.1 a suitable target for stabilization?
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2011-09-11 15:55:35 UTC
That should be fine, yes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-09-11 16:42:34 UTC
(In reply to comment #2)
> That should be fine, yes.

Great, thanks.

Arches, please test and mark stable:
=dev-python/django-1.3.1
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-09-11 17:12:41 UTC
amd64 ok

chack also for bug 382611 and bug 367547
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-09-12 18:14:02 UTC
x86 stable
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-09-15 07:55:38 UTC
emerges ok. all use flags, ok.
Neither of you mentioned test phase failure.  bug 371057. 
Failed with both python 2 and 3 set.
Perhaps because it's no regression, so out of contention to stop stabalisation.
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-09-16 12:03:15 UTC
+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> django-1.3.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #382599 filed by Sean Amoss.

Security, please proceed with GLSA voting.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-09-16 14:03:26 UTC
Vote: NO
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:51:34 UTC
GLSA Vote: No too. Closing noglsa.
Comment 10 Agostino Sarubbo gentoo-dev 2011-10-19 11:32:30 UTC
*** Bug 387665 has been marked as a duplicate of this bug. ***
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:37:41 UTC
CVE-2011-4140 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4140):
  The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through
  1.3.1 does not properly handle web-server configurations supporting
  arbitrary HTTP Host headers, which allows remote attackers to trigger
  unauthenticated forged requests via vectors involving a DNS CNAME record and
  a web page containing JavaScript code.

CVE-2011-4139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4139):
  Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header
  to construct a full URL in certain circumstances, which allows remote
  attackers to conduct cache poisoning attacks via a crafted request.

CVE-2011-4138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4138):
  The verify_exists functionality in the URLField implementation in Django
  before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity
  through a HEAD request, but then uses a GET request for the new target URL
  in the case of a redirect, which might allow remote attackers to trigger
  arbitrary GET requests with an unintended source IP address via a crafted
  Location header.

CVE-2011-4137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4137):
  The verify_exists functionality in the URLField implementation in Django
  before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt
  access to an arbitrary URL with no timeout, which allows remote attackers to
  cause a denial of service (resource consumption) via a URL associated with
  (1) a slow response, (2) a completed TCP connection with no application data
  sent, or (3) a large amount of application data, a related issue to
  CVE-2011-1521.

CVE-2011-4136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4136):
  django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when
  session data is stored in the cache, uses the root namespace for both
  session identifiers and application-data keys, which allows remote attackers
  to modify a session by triggering use of a key that is equal to that
  session's identifier.