Summary: | <dev-python/django-1.4.11 : Multiple Vulnerabilities (CVE-2014-{0472,0473,0474}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/58201/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-23 14:14:02 UTC
*django-1.4.11 (25 Apr 2014) *django-1.6.3 (25 Apr 2014) *django-1.5.6 (25 Apr 2014) 25 Apr 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.11.ebuild, +django-1.5.6.ebuild, +django-1.6.3.ebuild, django-1.6.1.ebuild: bumps wrt to Bug #508514 just stabalise django-1.4.8 for now thx (In reply to Ian Delaney from comment #2) > just stabalise django-1.4.8 for now thx I guess 1.4.11 Arches, please test and mark stable: =dev-python/django-1.4.11 Target keywords : "amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. CVE-2014-0472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0472): The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." (In reply to Agostino Sarubbo from comment #5) > x86 stable. > > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. 28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild: remove -1.4.8 wrt bug #508514 The others can be put up for stable in a month (In reply to Ian Delaney from comment #7) > (In reply to Agostino Sarubbo from comment #5) > > x86 stable. > > > > Maintainer(s), please cleanup. > > Security, please add it to the existing request, or file a new one. > > 28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild: > remove -1.4.8 wrt bug #508514 > > The others can be put up for stable in a month Ian, Can you also clean up django-1.6.1, and django-1.5.4 as they are also vulnerable. Thank you 02 May 2014; Ian Delaney <idella4@gentoo.org> -django-1.5.4.ebuild, -django-1.6.1.ebuild: cleanout wrt Bug 508514 Maintainer(s), Thank you for cleanup! Added to new GLSA Request This issue was resolved and addressed in GLSA 201406-26 at http://security.gentoo.org/glsa/glsa-201406-26.xml by GLSA coordinator Chris Reffett (creffett). CVE-2014-0474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0474): The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." CVE-2014-0473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0473): The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. |