| Summary: | <dev-python/django-1.0.3: Disclosure of private files (CVE-2009-2659) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Summers (RETIRED) <quantumsummers> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | trivial | CC: | mbartoszkiewicz, python | ||||||
| Priority: | High | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://www.djangoproject.com/weblog/2009/jul/28/security/ | ||||||||
| Whiteboard: | ~3 [noglsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Attachments: |
|
||||||||
|
Description
Matt Summers (RETIRED)
2009-07-30 17:42:02 UTC
Created attachment 199673 [details]
here is the updated ebuild, with fixes now that tests are included in the release tarball once again.
enjoy
Matt, thanks for the report. Python team, please proceed. (In reply to comment #1) Please attach unidiff patches instead of whole ebuilds. Created attachment 199749 [details]
diff
including fix for upstream tarball name change, and removal of tests workaround as they are now, correctly, included in the release.
Thanks to Arfrever for the assist.
Fixed. Parentheses in RDEPEND in the ebuild in the tree seem to be wrong:
sqlite? ( || (
>=dev-lang/python-2.5[sqlite] )
( dev-python/pysqlite:2 <dev-lang/python-2.5 )
)
(and similar for test in DEPEND)
I think there should be no parenthesis after >=dev-lang/python-2.5[sqlite] -- now portage wants to install python-2.4 and pysqlite in addition to python-2.6 I have already installed.
(In reply to comment #6) Fixed. CVE-2009-2659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2659): The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL. |
