Summary: | <dev-python/django-{1.4.8,1.5.4} : directory traversal issue (CVE-2013-4315) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Dirkjan Ochtman (RETIRED) <djc> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 484984 | ||
Bug Blocks: |
Description
Dirkjan Ochtman (RETIRED)
2013-09-11 09:41:34 UTC
(In reply to Dirkjan Ochtman from comment #0) > Affects <1.4.7, <1.5.3, <1.6_beta3. Thanks for the report. What about the 1.2 and 1.3 series? From reading the $URL, I conclude they're not affected. (In reply to Dirkjan Ochtman from comment #2) > From reading the $URL, I conclude they're not affected. Could you point where you see that are supported? It explicitly lists the affected versions. (In reply to Dirkjan Ochtman from comment #4) > It explicitly lists the affected versions. I don't see them available in the download main page. So I suppose there is no support and is why they didn't mention them in the advisory. Okay. I think we can just punt everything < 1.4.5 (which is currently stable). Does anyone have a problem with that? If not, I'll do it in ~40h. (In reply to Dirkjan Ochtman from comment #6) > Does anyone have a problem with that? There was bug #471614. (In reply to Dirkjan Ochtman from comment #6) > Okay. I think we can just punt everything < 1.4.5 (which is currently > stable). Does anyone have a problem with that? If not, I'll do it in ~40h. (In reply to Arfrever Frehtes Taifersar Arahesis from comment #7) > (In reply to Dirkjan Ochtman from comment #6) > > Does anyone have a problem with that? > > There was bug #471614. then just package.mask <1.4.7 after the stabilization Well, I think Markos should just clean up his code, we shouldn't carry around ebuilds for unpatched versions in the tree unless there's a lot of maintainer love (which it seems there isn't, for Django). Stabilization will be handled in bug 484984. CVE-2013-4315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4315): Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. |