Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508514 (CVE-2014-0472) - <dev-python/django-1.4.11 : Multiple Vulnerabilities (CVE-2014-{0472,0473,0474})
Summary: <dev-python/django-1.4.11 : Multiple Vulnerabilities (CVE-2014-{0472,0473,0474})
Status: RESOLVED FIXED
Alias: CVE-2014-0472
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/58201/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-23 14:14 UTC by Agostino Sarubbo
Modified: 2014-08-10 21:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-23 14:14:02 UTC
From ${URL} :

Description

A security issue and multiple vulnerabilities have been reported in Django, which can be exploited by malicious people to potentially 
disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system.

1) Input related to the path to the desired view passed to the "django.core.urlresolvers.reverse()" function is not properly verified 
before being used to import modules. This can be exploited to e.g. import arbitrary Python modules and execute arbitrary code.

2) An error when handling caching of responses to unauthenticated clients can be exploited to disclose a CSRF nonce.

3) Errors within the FilePathField, GenericIPAddressField, and IPAddressField model field classes can potentially be exploited to 
manipulate SQL queries.

The security issue and vulnerabilities are reported in versions prior to 1.4.11, prior to 1.5.6, and prior to 1.6.3.


Solution:
Update to version 1.4.11, 1.5.6, or 1.6.3.

Provided and/or discovered by:
The vendor credits:
1) Benjamin Bach
2) Paul McMillan
3) Michael Koziarski, Ruby on Rails team

Original Advisory:
https://www.djangoproject.com/weblog/2014/apr/21/security/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-04-25 00:48:37 UTC
*django-1.4.11 (25 Apr 2014)
*django-1.6.3 (25 Apr 2014)
*django-1.5.6 (25 Apr 2014)

  25 Apr 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.11.ebuild,
  +django-1.5.6.ebuild, +django-1.6.3.ebuild, django-1.6.1.ebuild:
  bumps wrt to Bug #508514
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2014-04-26 06:39:06 UTC
just stabalise django-1.4.8 for now thx
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-26 09:05:35 UTC
(In reply to Ian Delaney from comment #2)
> just stabalise django-1.4.8 for now thx

I guess 1.4.11

Arches, please test and mark stable:
=dev-python/django-1.4.11
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-26 09:14:01 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-27 09:09:07 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-27 11:32:52 UTC
CVE-2014-0472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0472):
  The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x
  before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote
  attackers to import and execute arbitrary Python modules by leveraging a
  view that constructs URLs using user input and a "dotted Python path."
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2014-04-28 04:40:55 UTC
(In reply to Agostino Sarubbo from comment #5)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

  28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild:
  remove -1.4.8 wrt bug #508514

The others can be put up for stable in a month
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-02 03:23:21 UTC
(In reply to Ian Delaney from comment #7)
> (In reply to Agostino Sarubbo from comment #5)
> > x86 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please add it to the existing request, or file a new one.
> 
>   28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild:
>   remove -1.4.8 wrt bug #508514
> 
> The others can be put up for stable in a month

Ian, 

Can you also clean up django-1.6.1, and django-1.5.4 as they are also vulnerable.

Thank you
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2014-05-02 11:51:54 UTC
  02 May 2014; Ian Delaney <idella4@gentoo.org> -django-1.5.4.ebuild,
  -django-1.6.1.ebuild:
  cleanout wrt Bug 508514
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-02 18:42:54 UTC
Maintainer(s), Thank you for cleanup!
Added to new GLSA Request
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:29 UTC
This issue was resolved and addressed in
 GLSA 201406-26 at http://security.gentoo.org/glsa/glsa-201406-26.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:02:11 UTC
CVE-2014-0474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0474):
  The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField
  model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x
  before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type
  conversion, which allows remote attackers to have unspecified impact and
  vectors, related to "MySQL typecasting."

CVE-2014-0473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0473):
  The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x
  before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all
  anonymous users, which allows remote attackers to bypass CSRF protections by
  reading the CSRF cookie for anonymous users.