Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 349510 (CVE-2010-4534) - <dev-python/django-1.2.4-r1: information leakage and DoS (CVE-2010-{4534,4535})
Summary: <dev-python/django-1.2.4-r1: information leakage and DoS (CVE-2010-{4534,4535})
Status: RESOLVED FIXED
Alias: CVE-2010-4534
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.djangoproject.com/weblog/2...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-23 17:07 UTC by Albert W. Hopkins
Modified: 2011-01-27 17:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Albert W. Hopkins 2010-12-23 17:07:14 UTC 
URL describes a vulnerability in 1.2.3, and 1.1.3 (but probably also applies to 1.1.2).

Also AFAIK 1.0.* is not longer supported upstream, so should probably be dropped from portage.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-12-23 17:39:56 UTC 
Thanks for the report.

From $URL:

Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately.

Looks like dev-python/django-1.2.4 is already in the tree thanks to arfrever. So...

Arches, please test and mark stable:
=dev-python/django-1.2.4
Target keywords : "amd64 x86"
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-12-23 18:10:16 UTC 
dev-python/django-1.2.4 contains a known regression, which was reported in #django-dev after I have added dev-python/django-1.2.4 to the tree.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-12-23 18:58:12 UTC 
(In reply to comment #2)
> dev-python/django-1.2.4 contains a known regression, which was reported in
> #django-dev after I have added dev-python/django-1.2.4 to the tree.
> 

Ok, thanks. I guess we'll wait for another release.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-12-24 13:52:23 UTC 
(In reply to comment #2)
> dev-python/django-1.2.4 contains a known regression, which was reported in
> #django-dev after I have added dev-python/django-1.2.4 to the tree.
> 

You should mark that bug as a blocker to this one.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-01-03 21:36:04 UTC 
CVE Assignment via: http://www.openwall.com/lists/oss-security/2011/01/03/5

> > I), Information leakage in Django administrative interface

Use CVE-2010-4534

> > II), Denial-of-service attack in password-reset mechanism
Use CVE-2010-4535
Comment 6 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-01-25 21:57:38 UTC 
(In reply to comment #2)

The regression has been fixed in dev-python/django-1.2.4-r1.
Comment 7 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-01-25 21:58:39 UTC 
Stabilize dev-python/django-1.2.4-r1.
Comment 8 Agostino Sarubbo gentoo-dev 2011-01-26 13:40:06 UTC 
amd64 ok
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-01-26 14:01:20 UTC 
amd64 done. Thanks Agostino
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-26 19:56:48 UTC 
x86 stable, last one so update the whiteboard
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-26 19:58:21 UTC 
GLSA vote: NO
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-01-26 19:59:18 UTC 
python: Please remove any leftover vulnerable ebuilds.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-27 17:43:03 UTC 
(In reply to comment #12)
> python: Please remove any leftover vulnerable ebuilds.
> 

This has been done; thanks, Arfrever.

GLSA Vote: No too. Closing NOGLSA.