Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 447470

Summary: <dev-python/django-{1.3.7,1.4.5}: multiple vulnerabilites (CVE-2013-{0305,0306,1664,1665})
Product: Gentoo Security Reporter: Albert W. Hopkins <marduk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2012/dec/10/security/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Albert W. Hopkins 2012-12-16 14:35:44 UTC 
There are new security releases for dev-python/django.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 22:18:16 UTC 
Thanks for the report, Albert.
Comment 2 Agostino Sarubbo gentoo-dev 2013-02-21 10:17:37 UTC 
From: https://secunia.com/advisories/52243/ :

1) An error when expanding XML entities can be exploited to consume large amounts of memory and cause a crash or hang via a specially crafted XML containing malicious attributes.

2) An error when processing certain XML data can be exploited to disclose certain information by sending specially crafted XML data including external entity references.

3) The administrative interface does not properly verify access permissions when accessing the history view, which can be exploited to view the history of any object accessible in the admin interface.

4) An error within formsets when handling form submissions can be exploited to consume large amounts of memory and render the application unusable by submitting specially crafted forms.

The vulnerabilities are reported in versions prior to 1.3.6 and 1.4.4.


Solution
Update to version 1.3.6 or 1.4.4.
Comment 3 Mike Gilbert gentoo-dev 2013-02-23 19:55:12 UTC 
We probably want to jump to 1.3.7 and 1.4.5.
Comment 4 Mike Gilbert gentoo-dev 2013-02-23 21:26:55 UTC 
+*django-1.3.7 (23 Feb 2013)
+*django-1.4.5 (23 Feb 2013)
+
+  23 Feb 2013; Mike Gilbert <floppym@gentoo.org> +django-1.3.7.ebuild,
+  +django-1.4.5.ebuild, django-9999.ebuild:
+  Version bumps for security bug 447470. Port 1.3.7 to distutils-r1. Disable
+  parallel testing.
+
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-23 21:47:29 UTC 
(In reply to comment #4)
> +*django-1.3.7 (23 Feb 2013)
> +*django-1.4.5 (23 Feb 2013)
> +
> +  23 Feb 2013; Mike Gilbert <floppym@gentoo.org> +django-1.3.7.ebuild,
> +  +django-1.4.5.ebuild, django-9999.ebuild:
> +  Version bumps for security bug 447470. Port 1.3.7 to distutils-r1. Disable
> +  parallel testing.
> +

Thanks, Mike!

Arches, please test and mark stable both:
=dev-python/django-1.3.7
=dev-python/django-1.4.5
Comment 6 Mike Gilbert gentoo-dev 2013-02-23 22:08:13 UTC 
We also need to stabilize the following as dependencies:

=dev-python/mysql-python-1.2.3-r1
=dev-python/imaging-1.1.7-r2
=dev-python/psycopg-2.4.6-r1
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-24 12:10:50 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-24 12:15:18 UTC 
x86 stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-22 15:40:42 UTC 
GLSA vote: no
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2013-04-01 14:40:15 UTC 
NO too, closing.