| Summary: | python-django new security issues CVE-2013-4315 and CVE-2013-1443 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, makowski.mageia, qa-bugs, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/566244/ | ||
| Whiteboard: | MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | python-django-1.4.6-1.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-09-11 18:57:30 CEST
David Walser
2013-09-11 18:57:43 CEST
CC:
(none) =>
makowski.mageia I take care of it Here the new packages : python-django-1.4.7-1.mga3.noarch python-django-1.4.7-1.mga3.src python-django-1.3.7-1.2.mga2.noarch python-django-1.3.7-1.2.mga2.src python-django-doc-1.5.3-1.mga4.noarch python-django-1.5.3-1.mga4.noarch python3-django-1.5.3-1.mga4.noarch python-django-1.5.3-1.mga4.src Thanks Philippe!
Advisory:
========================
Updated python-django package fixes security vulnerability:
Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
http://www.debian.org/security/2013/dsa-2755
========================
Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.2.mga2
python-django-1.4.7-1.mga3
from SRPMS:
python-django-1.3.7-1.2.mga2.src.rpm
python-django-1.4.7-1.mga3.src.rpmVersion:
Cauldron =>
3 Advisory 11217.adv committed to svn. CC:
(none) =>
davidwhodgins Testing complete mga3_64, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ cd.. [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 00:37:51] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c CC:
(none) =>
geiger.david68210 Testing complete mga3_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ cd.. [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 00:48:45] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c Whiteboard:
MGA2TOO =>
MGA2TOO mga3-64-ok mga3-32-ok Testing complete mga2_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls __init__.py manage.py settings.py urls.py [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.3.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 01:05:11] "GET / HTTP/1.1" 200 2051 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c Whiteboard:
MGA2TOO mga3-64-ok mga3-32-ok =>
MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok While the explanation of how to exploit the but is clear, there is no simple example application, or easy to find instructions of how to set up a test using the 'ssi' tag, so just testing that python-django is working. Testing complete on Mageia 2 x86_64. Someone from the sysadmin team please push 11217.adv to updates. Keywords:
(none) =>
validated_update This needs updated again for another security issue, CVE-2013-4315: https://www.djangoproject.com/weblog/2013/sep/15/security/ http://www.openwall.com/lists/oss-security/2013/09/15/3 Keywords:
validated_update =>
(none) It looks like Oden has already updated this for Mageia 3 and Cauldron, so it just needs an update for Mageia 2. Ok, I will try to backport the patch to python-django-1.3.7 in mga2 from Django 1.4.8 I can't backport it, default password hasher in Django, PBKDF2, that is the main point of this security issue (CVE-2013-4315) is not present in Django 1.3.7, it was introduced in Django 1.4. So IMHO, CVE-2013-4315 don't apply to Django 1.3.7 and thus, mga2 don't need to be updated for this. Thanks Philippe!
Advisory (Mageia 2):
========================
Updated python-django package fixes security vulnerability:
Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
http://www.debian.org/security/2013/dsa-2755
========================
Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.2.mga2
from python-django-1.3.7-1.2.mga2.src.rpm
Advisory (Mageia 3):
========================
Updated python-django package fixes security vulnerabilities:
Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).
Django before 1.4.8 allows for denial-of-service attacks through repeated
submission of large passwords, tying up server resources in the expensive
computation of the corresponding hashes (CVE-2013-1443).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
https://www.djangoproject.com/weblog/2013/sep/15/security/
http://www.debian.org/security/2013/dsa-2755
========================
Updated packages in core/updates_testing:
========================
python-django-1.4.8-1.mga3
from python-django-1.4.8-1.mga3.src.rpmAssignee:
makowski.mageia =>
qa-bugs I've restored the Mageia 2 testing markers, as it was previously validated and has not been updated again. Whiteboard:
MGA2TOO =>
MGA2TOO mga2-32-ok mga2-64-ok Testing complete mga3 32 & 64 Whiteboard:
MGA2TOO mga2-32-ok mga2-64-ok =>
MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok Existing advisory split into 11217.adv and 11217.mga3.adv, both are uploaded to svn. Validating Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update LWN reference for CVE-2013-1443: http://lwn.net/Vulnerabilities/567275/ Mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0283.html Mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0284.html Status:
NEW =>
RESOLVED |