Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484566 (CVE-2013-4315) - <dev-python/django-{1.4.8,1.5.4} : directory traversal issue (CVE-2013-4315)
Summary: <dev-python/django-{1.4.8,1.5.4} : directory traversal issue (CVE-2013-4315)
Status: RESOLVED FIXED
Alias: CVE-2013-4315
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2013-1443
Blocks:
  Show dependency tree
 
Reported: 2013-09-11 09:41 UTC by Dirkjan Ochtman
Modified: 2013-10-28 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman gentoo-dev 2013-09-11 09:41:34 UTC
Affects <1.4.7, <1.5.3, <1.6_beta3.
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-11 12:35:50 UTC
(In reply to Dirkjan Ochtman from comment #0)
> Affects <1.4.7, <1.5.3, <1.6_beta3.

Thanks for the report. What about the 1.2 and 1.3 series?
Comment 2 Dirkjan Ochtman gentoo-dev 2013-09-11 13:18:33 UTC
From reading the $URL, I conclude they're not affected.
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-12 19:21:22 UTC
(In reply to Dirkjan Ochtman from comment #2)
> From reading the $URL, I conclude they're not affected.

Could you point where you see that are supported?
Comment 4 Dirkjan Ochtman gentoo-dev 2013-09-13 08:14:57 UTC
It explicitly lists the affected versions.
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-14 09:39:43 UTC
(In reply to Dirkjan Ochtman from comment #4)
> It explicitly lists the affected versions.

I don't see them available in the download main page. So I suppose there is no support and is why they didn't mention them in the advisory.
Comment 6 Dirkjan Ochtman gentoo-dev 2013-09-14 16:47:21 UTC
Okay. I think we can just punt everything < 1.4.5 (which is currently stable). Does anyone have a problem with that? If not, I'll do it in ~40h.
Comment 7 Arfrever Frehtes Taifersar Arahesis 2013-09-15 06:36:11 UTC
(In reply to Dirkjan Ochtman from comment #6)
> Does anyone have a problem with that?

There was bug #471614.
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-15 08:13:53 UTC
(In reply to Dirkjan Ochtman from comment #6)
> Okay. I think we can just punt everything < 1.4.5 (which is currently
> stable). Does anyone have a problem with that? If not, I'll do it in ~40h.

(In reply to Arfrever Frehtes Taifersar Arahesis from comment #7)
> (In reply to Dirkjan Ochtman from comment #6)
> > Does anyone have a problem with that?
> 
> There was bug #471614.

then just package.mask <1.4.7 after the stabilization
Comment 9 Dirkjan Ochtman gentoo-dev 2013-09-15 10:21:01 UTC
Well, I think Markos should just clean up his code, we shouldn't carry around ebuilds for unpatched versions in the tree unless there's a lot of maintainer love (which it seems there isn't, for Django).
Comment 10 Dirkjan Ochtman gentoo-dev 2013-09-15 11:05:28 UTC
Stabilization will be handled in bug 484984.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:56:01 UTC
CVE-2013-4315 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4315):
  Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before
  1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary
  files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a ..
  (dot dot) in a ssi template tag.