| Summary: | python-django new security issues CVE-2014-1418 and CVE-2014-3730 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | makowski.mageia, oe, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/598863/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | python-django-1.6.3-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-05-15 16:11:44 CEST
David Walser
2014-05-15 16:11:50 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO fixed with python-django-1.4.13-1.mga3, python-django-1.5.8-1.mga4 & python-django-1.5.8-1.mga4. CC:
(none) =>
oe Thanks Oden! Unfortunately we currently have multiple Django versions packaged, so there's also a python-django14 SRPM in Mageia 4 and Cauldron which need to be updated as well. Ubuntu has issued an advisory for this on May 14: http://www.ubuntu.com/usn/usn-2212-1/ URL:
(none) =>
http://lwn.net/Vulnerabilities/598863/ fixed too in python-django14-1.4.13-1.mga4 and python-django14-1.4.13-2.mga5 Thanks Philippe (and Oden)! Advisory: ======================== Updated python-django and python-dgango14 packages fix security vulnerabilities: Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7 (CVE-2014-1418). Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. An attacker may use this to cause unexpected redirects (CVE-2014-3730). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730 https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ http://www.ubuntu.com/usn/usn-2212-1/ ======================== Updated packages in core/updates_testing: ======================== python-django-1.4.13-1.mga3 python-django-1.5.8-1.mga4 python3-django-1.5.8-1.mga4 python-django-doc-1.5.8-1.mga4 python-django14-1.4.13-1.mga4 from SRPMS: python-django-1.4.13-1.mga3.src.rpm python-django-1.5.8-1.mga4.src.rpm python-django14-1.4.13-1.mga4.src.rpm CC:
(none) =>
makowski.mageia Procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure test ok on mga3-64 Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-64-ok test ok on mga4-64 Whiteboard:
MGA3TOO has_procedure mga3-64-ok =>
MGA3TOO has_procedure mga3-64-ok mga4-64-ok Testing complete mga3 32 Whiteboard:
MGA3TOO has_procedure mga3-64-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok Testing complete mga4 32 Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
claire robinson
2014-05-19 17:58:12 CEST
Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0231.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-3730: http://lwn.net/Vulnerabilities/599626/ |