Summary: | <dev-python/django-{1.4.15,1.5.10,1.6.7}: multiple vulnerabilities (CVE-2014-{0480,0481,0482,0483}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2014/aug/20/security/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-08-27 15:46:02 UTC
new versions added, please proceed amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes CVE-2014-0483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0483): The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. CVE-2014-0482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0482): The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. CVE-2014-0481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0481): The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. CVE-2014-0480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0480): The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. 04 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.13.ebuild, -django-1.5.8.ebuild, -django-1.6.5.ebuild: drop vulnerable versions wrt Bug #521324 GLSA Vote(In reply to Ian Delaney from comment #6) > 04 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.13.ebuild, > -django-1.5.8.ebuild, -django-1.6.5.ebuild: > drop vulnerable versions wrt Bug #521324 Thank you for cleanup. GLSA Vote: Yes. New GLSA Request filed. https://www.djangoproject.com/weblog/2014/sep/02/release-17-final/ : "Bugfix releases ... today we are issuing bugfix releases in the 1.4, 1.5 and 1.6 series, which correct some bugs which existed after the most recent security releases. Today's releases are: Django 1.4.15 (download 1.4.15 | 1.4.15 checksums) Django 1.5.10 (download 1.5.10 | 1.5.10 checksums) Django 1.6.7 (download 1.6.7 | 1.6.7 checksums)" (In reply to Arfrever Frehtes Taifersar Arahesis from comment #8) Detailed explanation of regression: https://code.djangoproject.com/ticket/23329 (In reply to Arfrever Frehtes Taifersar Arahesis from comment #8) > https://www.djangoproject.com/weblog/2014/sep/02/release-17-final/ : > > "Bugfix releases > > ... today we are issuing bugfix releases in the 1.4, 1.5 and 1.6 series, > which correct some bugs which existed after the most recent security > releases. > > Today's releases are: > > Django 1.4.15 (download 1.4.15 | 1.4.15 checksums) > Django 1.5.10 (download 1.5.10 | 1.5.10 checksums) > Django 1.6.7 (download 1.6.7 | 1.6.7 checksums)" *django-1.6.7 (09 Sep 2014) *django-1.4.15 (09 Sep 2014) *django-1.5.10 (09 Sep 2014) 09 Sep 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.15.ebuild, +django-1.5.10.ebuild, +django-1.6.7.ebuild, django-9999.ebuild: bumps Need to do them again. Please proceed amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. 17 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.14.ebuild, -django-1.5.9.ebuild, -django-1.6.6.ebuild, django-1.6.7.ebuild, django-1.7.ebuild: syntax fix, drop vulnerable versions wrt Bug #521324 Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes GLSA vote: yes. GLSA drafted and ready for peer-review. This issue was resolved and addressed in GLSA 201412-22 at http://security.gentoo.org/glsa/glsa-201412-22.xml by GLSA coordinator Sean Amoss (ackle). |