Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 510382 (CVE-2014-1418)

Summary: <dev-python/django-{1.4.13,1.5.8,1.6.5}: two vulnerabilities (CVE-2014-{1418,3730})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-05-15 07:41:56 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1097500:

It was reported that, in certain situations, cached data in Django could be served to a different session, or to a user with no session at all. The original report from upstream:

""
In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests
with a different session, or no session at all. This can both lead to
information disclosure, and can be a vector for cache poisoning.

When using Django sessions, Django will set a ``Vary: Cookie`` header
to ensure caches do not serve cached data to requests from other
sessions. However, older versions of Internet Explorer (most likely
only Internet Explorer 6, and Internet Explorer 7 if run on Windows XP
or Windows Server 2003) are unable to handle the ``Vary`` header in
combination with many content types. Therefore, Django would remove
the header if the request was made by Internet Explorer.

To remedy this, the special behavior for these older Internet
Explorer versions has been removed, and the ``Vary`` header is no
longer stripped from the response. In addition, modifications to the
``Cache-Control`` header for all Internet Explorer requests with a
``Content-Disposition`` header, have also been removed as they were
found to have similar issues.
""

This issue affects Django versions 1.4, 1.5, 1.6, and 1.7. It has been fixed in versions 1.4.13, 1.5.8, 1.6.5, and 1.7 beta 4.



From https://bugzilla.redhat.com/show_bug.cgi?id=1097505:

A redirect issue was reported in Django. This could lead to a victim being redirected to an arbitrary site. The original report from upstream:

""
The validation for redirects did not correctly validate some malformed
URLs, which are accepted by some browsers. This allows a user to be
redirected to an unsafe URL unexpectedly.

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``,
and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on
success" URL. The security checks for these redirects (namely
``django.util.http.is_safe_url()``) did not correctly validate some
malformed URLs, such as `http:\\\\\\djangoproject.com`, which are
accepted by some browsers with more liberal URL parsing.

To remedy this, the validation in ``is_safe_url()`` has been tightened
to be able to handle and correctly validate these malformed URLs.
""

This issue affects Django versions 1.4, 1.5, 1.6, and 1.7. It has been fixed in versions 1.4.13, 1.5.8, 1.6.5, and 1.7 beta 4.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-05-26 14:40:19 UTC
*django-1.4.13 (26 May 2014)
*django-1.5.8 (26 May 2014)

  26 May 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.13.ebuild,
  +django-1.5.8.ebuild, -django-1.4.12.ebuild, -django-1.5.6.ebuild,
  -django-1.5.7.ebuild, -django-1.6.3.ebuild, django-1.6.5.ebuild:
  bumps; clean of old, excepting the stable -1.4.11, wrt sec. Bug #510382

Arch teams please make stable ALL bumped versions;
dev-python/django-1.4.13 django-1.5.8 django-1.6.5
in arches; amd64 x86 (before they release any more)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-30 06:11:45 UTC
Arches, please test and mark stable:

=dev-python/django-1.4.13
=dev-python/django-1.5.8
=dev-python/django-1.6.5


Target Keywords : "amd64 x86"

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2014-05-31 10:27:20 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-06-08 10:59:47 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Dirkjan Ochtman gentoo-dev 2014-06-08 13:10:03 UTC
Cleanup done.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-14 02:22:34 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:31 UTC
This issue was resolved and addressed in
 GLSA 201406-26 at http://security.gentoo.org/glsa/glsa-201406-26.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:03:07 UTC
CVE-2014-3730 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3730):
  The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5
  before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly
  validate URLs, which allows remote attackers to conduct open redirect
  attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."

CVE-2014-1418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1418):
  Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before
  1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control
  header in responses, which allows remote attackers to obtain sensitive
  information or poison the cache via a request from certain browsers.