Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 484566 (CVE-2013-4315)

Summary: <dev-python/django-{1.4.8,1.5.4} : directory traversal issue (CVE-2013-4315)
Product: Gentoo Security Reporter: Dirkjan Ochtman (RETIRED) <djc>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 484984    
Bug Blocks:    

Description Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-11 09:41:34 UTC 
Affects <1.4.7, <1.5.3, <1.6_beta3.
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-11 12:35:50 UTC 
(In reply to Dirkjan Ochtman from comment #0)
> Affects <1.4.7, <1.5.3, <1.6_beta3.

Thanks for the report. What about the 1.2 and 1.3 series?
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-11 13:18:33 UTC 
From reading the $URL, I conclude they're not affected.
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-12 19:21:22 UTC 
(In reply to Dirkjan Ochtman from comment #2)
> From reading the $URL, I conclude they're not affected.

Could you point where you see that are supported?
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-13 08:14:57 UTC 
It explicitly lists the affected versions.
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-14 09:39:43 UTC 
(In reply to Dirkjan Ochtman from comment #4)
> It explicitly lists the affected versions.

I don't see them available in the download main page. So I suppose there is no support and is why they didn't mention them in the advisory.
Comment 6 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-14 16:47:21 UTC 
Okay. I think we can just punt everything < 1.4.5 (which is currently stable). Does anyone have a problem with that? If not, I'll do it in ~40h.
Comment 7 Arfrever Frehtes Taifersar Arahesis 2013-09-15 06:36:11 UTC 
(In reply to Dirkjan Ochtman from comment #6)
> Does anyone have a problem with that?

There was bug #471614.
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-15 08:13:53 UTC 
(In reply to Dirkjan Ochtman from comment #6)
> Okay. I think we can just punt everything < 1.4.5 (which is currently
> stable). Does anyone have a problem with that? If not, I'll do it in ~40h.

(In reply to Arfrever Frehtes Taifersar Arahesis from comment #7)
> (In reply to Dirkjan Ochtman from comment #6)
> > Does anyone have a problem with that?
> 
> There was bug #471614.

then just package.mask <1.4.7 after the stabilization
Comment 9 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-15 10:21:01 UTC 
Well, I think Markos should just clean up his code, we shouldn't carry around ebuilds for unpatched versions in the tree unless there's a lot of maintainer love (which it seems there isn't, for Django).
Comment 10 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-09-15 11:05:28 UTC 
Stabilization will be handled in bug 484984.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:56:01 UTC 
CVE-2013-4315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4315):
  Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before
  1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary
  files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a ..
  (dot dot) in a ssi template tag.