222029 CVE-2008-2302 2008-05-14 07:50 0000 dev-python/django < 0.96.2 XSS (CVE-2008-2302) 2008-05-26 19:01:42 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.djangoproject.com/weblog/2008/may/14/security/ ~4 [noglsa] P2 trivial --- 1 nelchael@gentoo.org security@gentoo.org python@gentoo.org nelchael@gentoo.org 2008-05-14 07:50:17 0000 Description of vulnerability The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute. The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path. Affected versions * Django development trunk * Django 0.96 * Django 0.95 * Django 0.91 Resolution The login form has been changed to escape the request path before use as the form's submission action. The relevant changesets for affected versions of Django are: * Django development trunk: Changeset 7521 * Django 0.96: Changeset 7527 * Django 0.95: Changeset 7528 * Django 0.91: Changeset 7529 The following releases have been issued based on the above changesets: * Django 0.96.2 * Django 0.95.3 * Django 0.91.2 All users of affected versions of Django are strongly encouraged to apply the relevant patch or upgrade to the relevant patched release as soon as possible. py@gentoo.org 2008-05-14 09:32:37 0000 Python herd, please bump as necessary nelchael@gentoo.org 2008-05-21 07:38:12 0000 Bumping it won't be as easy as it seems: in 0.96.2 tarball some directories are missing (like extras, examples). I've filled a bug upstream about that, but it got closed as WONTFIX: http://code.djangoproject.com/ticket/7273, last comment from that bug: > Actually, the 0.96.1 tarball was generated by an svn export, while 0.96.2 was > generated by using the setup.py script. What this means, really, is that the > setup.py script was borked (a known issue), but unfortunately I don't think we > can do much about it; the bugfixes branches are really only for critical > security fixes. So the Django code should come from 0.96.2, and the rest from 0.96.1 or use 0.96.1 tarball with a patch. nelchael@gentoo.org 2008-05-26 06:40:07 0000 Created an attachment (id=154317) django-0.96.1-to-0.96.2.ebuild.patch This is a patch for 0.96.1 ebuild to create 0.96.2: it has both versions in SRC_URI and uses the missing directories from 0.96.1. rbu@gentoo.org 2008-05-26 17:56:42 0000 Krzysiek, feel free to commit the attached patch to CVS. Or do you need additional review? nelchael@gentoo.org 2008-05-26 18:17:16 0000 Done: ------------------------------------------------------------------------------ Version bump to fix security bug, see bug #222029. (Portage version: 2.1.5.2) ------------------------------------------------------------------------------ rbu@gentoo.org 2008-05-26 18:19:36 0000 Thanks, closing without stabling and GLSA. 154317 2008-05-26 06:40 0000 django-0.96.1-to-0.96.2.ebuild.patch django-0.96.1-to-0.96.2.ebuild.patch text/plain LS0tIGRqYW5nby0wLjk2LjEuZWJ1aWxkCTIwMDgtMDUtMjYgMDg6MjI6NTEuMDAwMDAwMDAwICsw MjAwCisrKyBkamFuZ28tMC45Ni4yLmVidWlsZAkyMDA4LTA1LTI2IDA4OjM2OjU0LjAwMDAwMDAw MCArMDIwMApAQCAtNSwxMiArNSwxNiBAQAogaW5oZXJpdCBiYXNoLWNvbXBsZXRpb24gZGlzdHV0 aWxzIGV1dGlscyB2ZXJzaW9uYXRvcgogCiBSUFY9JChnZXRfdmVyc2lvbl9jb21wb25lbnRfcmFu Z2UgMS0yKQorRVhUUkFTX1ZFUlNJT049IjAuOTYuMSIKIAogTVlfUD0iRGphbmdvLSR7UFZ9Igog CiBERVNDUklQVElPTj0iaGlnaC1sZXZlbCBweXRob24gd2ViIGZyYW1ld29yayIKIEhPTUVQQUdF PSJodHRwOi8vd3d3LmRqYW5nb3Byb2plY3QuY29tLyIKLVNSQ19VUkk9Imh0dHA6Ly9tZWRpYS5k amFuZ29wcm9qZWN0LmNvbS9yZWxlYXNlcy8ke1JQVn0vJHtNWV9QfS50YXIuZ3oiCitTUkNfVVJJ PSJodHRwOi8vbWVkaWEuZGphbmdvcHJvamVjdC5jb20vcmVsZWFzZXMvJHtSUFZ9LyR7TVlfUH0u dGFyLmd6CisJCWh0dHA6Ly9tZWRpYS5kamFuZ29wcm9qZWN0LmNvbS9yZWxlYXNlcy8ke1JQVn0v RGphbmdvLSR7RVhUUkFTX1ZFUlNJT059LnRhci5neiIKKwkJIyBXZSBuZWVkICR7RVhUUkFTX1ZF UlNJT059IGluIFNSQ19VUkksIGJlY2F1c2UgaXQncyB0aGUgbGFzdCByZWxlYXNlIHRoYXQKKwkJ IyBjb250YWlucyBleHRyYXMsIHRlc3RzIGFuZCBleGFtcGxlcywgc2VlIGFsc28gc3JjX3VucGFj awogTElDRU5TRT0iQlNEIgogU0xPVD0iMCIKIEtFWVdPUkRTPSJ+YW1kNjQgfmlhNjQgfnBwYyB+ cHBjNjQgfng4NiIKQEAgLTMxLDYgKzM1LDIwIEBACiAKIERPQ1M9ImRvY3MvKiBBVVRIT1JTIgog CitzcmNfdW5wYWNrKCkgeworCisJZGlzdHV0aWxzX3NyY191bnBhY2sKKworCSMgVGhvc2UgZGly ZWN0b3JpZXMgYXJlIG1pc3NpbmcgZnJvbSAwLjk2LjIsIHNvIHdlIGNvcHkgdGhlbSBvdmVyIGZy b20KKwkjICR7RVhUUkFTX1ZFUlNJT059IChjdXJyZW50bHkgMC45Ni4xKToKKwljcCAtYSAiJHtX T1JLRElSfS9EamFuZ28tJHtFWFRSQVNfVkVSU0lPTn0vZXhhbXBsZXMiICIke1N9LyIgfHwgZGll CisJY3AgLWEgIiR7V09SS0RJUn0vRGphbmdvLSR7RVhUUkFTX1ZFUlNJT059L2V4dHJhcyIgIiR7 U30vIiB8fCBkaWUKKwljcCAtYSAiJHtXT1JLRElSfS9EamFuZ28tJHtFWFRSQVNfVkVSU0lPTn0v dGVzdHMiICIke1N9LyIgfHwgZGllCisJY3AgLWEgIiR7V09SS0RJUn0vRGphbmdvLSR7RVhUUkFT X1ZFUlNJT059L2RqYW5nby9jb250cmliL2Zvcm10b29scy90ZW1wbGF0ZXMiIFwKKwkJIiR7U30v ZGphbmdvL2NvbnRyaWIvZm9ybXRvb2xzLyIgfHwgZGllCisKK30KKwogc3JjX3Rlc3QoKSB7CiAJ Y2F0ID4+IHRlc3RzL3NldHRpbmdzLnB5IDw8IF9fRU9GX18KIERBVEFCQVNFX0VOR0lORT0nc3Fs aXRlMycK