From ${URL} : Description A security issue and multiple vulnerabilities have been reported in Django, which can be exploited by malicious people to potentially disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system. 1) Input related to the path to the desired view passed to the "django.core.urlresolvers.reverse()" function is not properly verified before being used to import modules. This can be exploited to e.g. import arbitrary Python modules and execute arbitrary code. 2) An error when handling caching of responses to unauthenticated clients can be exploited to disclose a CSRF nonce. 3) Errors within the FilePathField, GenericIPAddressField, and IPAddressField model field classes can potentially be exploited to manipulate SQL queries. The security issue and vulnerabilities are reported in versions prior to 1.4.11, prior to 1.5.6, and prior to 1.6.3. Solution: Update to version 1.4.11, 1.5.6, or 1.6.3. Provided and/or discovered by: The vendor credits: 1) Benjamin Bach 2) Paul McMillan 3) Michael Koziarski, Ruby on Rails team Original Advisory: https://www.djangoproject.com/weblog/2014/apr/21/security/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*django-1.4.11 (25 Apr 2014) *django-1.6.3 (25 Apr 2014) *django-1.5.6 (25 Apr 2014) 25 Apr 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.11.ebuild, +django-1.5.6.ebuild, +django-1.6.3.ebuild, django-1.6.1.ebuild: bumps wrt to Bug #508514
just stabalise django-1.4.8 for now thx
(In reply to Ian Delaney from comment #2) > just stabalise django-1.4.8 for now thx I guess 1.4.11 Arches, please test and mark stable: =dev-python/django-1.4.11 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2014-0472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0472): The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
(In reply to Agostino Sarubbo from comment #5) > x86 stable. > > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. 28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild: remove -1.4.8 wrt bug #508514 The others can be put up for stable in a month
(In reply to Ian Delaney from comment #7) > (In reply to Agostino Sarubbo from comment #5) > > x86 stable. > > > > Maintainer(s), please cleanup. > > Security, please add it to the existing request, or file a new one. > > 28 Apr 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.8.ebuild: > remove -1.4.8 wrt bug #508514 > > The others can be put up for stable in a month Ian, Can you also clean up django-1.6.1, and django-1.5.4 as they are also vulnerable. Thank you
02 May 2014; Ian Delaney <idella4@gentoo.org> -django-1.5.4.ebuild, -django-1.6.1.ebuild: cleanout wrt Bug 508514
Maintainer(s), Thank you for cleanup! Added to new GLSA Request
This issue was resolved and addressed in GLSA 201406-26 at http://security.gentoo.org/glsa/glsa-201406-26.xml by GLSA coordinator Chris Reffett (creffett).
CVE-2014-0474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0474): The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." CVE-2014-0473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0473): The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.