| Summary: | python-django new security issues CVE-2015-0219 and CVE-2015-022[0-2] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | makowski.mageia, olchal, sysadmin-bugs, tmb, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/629475/ | ||
| Whiteboard: | has_procedure MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | python-django-1.7-4.mga5.src.rpm, python-django14-1.4.15-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-01-14 19:04:07 CET
David Walser
2015-01-14 19:04:18 CET
Whiteboard:
(none) =>
MGA4TOO python-django14-1.4.18-1.1.mga4 is available python-django14-1.4.18-1.mga5 and python-django-1.7.3-1.mga5 need a freeze push python-django-1.5.9-1.1.mga4 will come ASAP, I need to back port patches, since Django 1.5 is no longer receiving security updates from upstream. Freeze pushes fulfilled in Cauldron. Whiteboard:
MGA4TOO =>
(none) python-django-1.5.9-1.1.mga4 is available Thanks Philippe! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django and python-django14 packages fix security vulnerabilities: Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments (CVE-2015-0219). Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack (CVE-2015-0220). Alex Gaynor discovered that Django incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service (CVE-2015-0221). Keryn Knight discovered that Django incorrectly handled forms with ModelMultipleChoiceField. A remote attacker could possibly use this issue to cause a large number of SQL queries, resulting in a database denial of service. Note that this issue only affected python-django (CVE-2015-0222). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222 https://www.djangoproject.com/weblog/2015/jan/13/security/ http://www.ubuntu.com/usn/usn-2469-1/ ======================== Updated packages in core/updates_testing: ======================== python-django14-1.4.18-1.1.mga4 python-django-1.5.9-1.1.mga4 python3-django-1.5.9-1.1.mga4 python-django-doc-1.5.9-1.1.mga4 from SRPMS: python-django14-1.4.18-1.1.mga4.src.rpm python-django-1.5.9-1.1.mga4.src.rpm CC:
(none) =>
makowski.mageia Testing on Mageia4x64, real hardware, following procedure mentioned in Comment 4 From current packages : --------------------- (installed and tested each package separately as they conflict with each other) python-django-1.5.9-1.mga4 $ django-admin.py startproject mysite $ cd mysite/ $ python manage.py runserver Validating models... 0 errors found January 17, 2015 - 03:57:52 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [17/Jan/2015 03:58:01] "GET / HTTP/1.1" 200 1957 Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Killed the server with Ctrl-C and removed mysite directory. Did the same with python-django14-1.4.13-1.mga4 OK Did the same with python3-django-1.5.9-1.mga4, changing commands accordingly OK To updated testing packages : -------------------- python-django-1.5.9-1.1.mga4 python-django14-1.4.18-1.1.mga4 python3-django-1.5.9-1.1.mga4------- All OK. CC:
(none) =>
olchal In VirtualBox, M4, KDE, 32-bit Package(s) under test: python-django & python-django14 default install of python-django [root@localhost wilcal]# urpmi python-django Package python-django-1.5.9-1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite install python-django from updates_testing [root@localhost wilcal]# urpmi python-django Package python-django-1.5.9-1.1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite remove python-django default install of python-django14 [root@localhost wilcal]# urpmi python-django14 Package python-django14-1.4.14-1.3.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite install python-django14 from updates_testing [root@localhost wilcal]# urpmi python-django14 Package python-django14-1.4.18-1.1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 CC:
(none) =>
wilcal.int This update works fine. Another super job by oliver. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks Keywords:
(none) =>
validated_update advisory uploaded Whiteboard:
has_procedure MGA4-32-OK MGA4-64-OK =>
has_procedure MGA4-32-OK MGA4-64-OK advisory An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0026.html Resolution:
(none) =>
FIXED |