Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554864 (CVE-2015-5143) - <dev-python/django-{1.4.21,1.7.9,1.8.3}: multiple vulnerabilities (CVE-2015-{5143,5144,5145})
Summary: <dev-python/django-{1.4.21,1.7.9,1.8.3}: multiple vulnerabilities (CVE-2015-{...
Status: RESOLVED FIXED
Alias: CVE-2015-5143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-14 10:02 UTC by Agostino Sarubbo
Modified: 2015-10-31 15:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-07-14 10:02:55 UTC 
From ${URL} :

Today the Django team issued multiple releases -- Django 1.4.21, 1.7.9, and 
1.8.3 -- as part of our security process. These releases address a couple 
security issues, and we encourage all users to upgrade as soon as possible.

More details can be found on our blog:

https://www.djangoproject.com/weblog/2015/jul/08/security-releases/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-07-15 10:42:51 UTC 
*django-1.8.3 (15 Jul 2015)
*django-1.7.9 (15 Jul 2015)
*django-1.4.21 (15 Jul 2015)

  15 Jul 2015; Ian Delaney <idella4@gentoo.org> +django-1.4.21.ebuild,
  +django-1.7.9.ebuild, +django-1.8.3.ebuild:
  bumps wrt bug #554864

I'd suggest go directly to stablilising; amd64 x86
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-07-27 20:23:21 UTC 
Please stabilize

django-1.7.9
django-1.4.21
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-07-28 03:19:47 UTC 
CVE-2015-5145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5145):
  validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers
  to cause a denial of service (CPU consumption) via unspecified vectors.

CVE-2015-5144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5144):
  Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x
  before 1.8.3 uses an incorrect regular expression, which allows remote
  attackers to inject arbitrary headers and conduct HTTP response splitting
  attacks via a newline character in an (1) email message to the
  EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the
  (3) validate_ipv4_address or (4) validate_slug validator.

CVE-2015-5143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5143):
  The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x
  before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a
  denial of service (session store consumption) via multiple requests with
  unique session keys.
Comment 4 Agostino Sarubbo gentoo-dev 2015-07-28 10:22:32 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-28 10:22:50 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Justin Lecher (RETIRED) gentoo-dev 2015-07-28 14:33:23 UTC 
+  28 Jul 2015; Justin Lecher <jlec@gentoo.org> -django-1.4.20.ebuild,
+  -django-1.7.7.ebuild, -django-1.7.8.ebuild, -django-1.8.2.ebuild,
+  -files/django-1.4.19-test.patch, -files/django-1.5-objects.patch,
+  -files/django-1.6.10-test.patch:
+  Drop vulnerable version, bug #554864
+

Cleaned.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 01:36:54 UTC 
GLSA Vote: Yes
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-07 07:54:37 UTC 
(In reply to Yury German from comment #7)
> GLSA Vote: Yes

GLSA Vote: Yes
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:25:35 UTC 
This issue was resolved and addressed in
 GLSA 201510-06 at https://security.gentoo.org/glsa/201510-06
by GLSA coordinator Kristian Fiskerstrand (K_F).