Bug 17215

Summary: python-django new security issues CVE-2015-8213
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/665808/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: python-django-1.8.4-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2015-11-24 19:08:17 CET 
Upstream has issued an advisory today (November 24):
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

The issue is fixed in 1.8.7.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-25 16:43:16 CET 
Ubuntu has issued an advisory for this on November 24:
http://www.ubuntu.com/usn/usn-2816-1/
David Walser 2015-11-25 20:03:44 CET

URL: (none) => http://lwn.net/Vulnerabilities/665808/

Comment 2 Philippe Makowski 2015-11-26 12:24:26 CET 
Mageia 5 and Cauldron updated to 1.8.7

Packages in 5/core/updates_testing :

python3-django-1.8.7-1.mga5.noarch
python-django-doc-1.8.7-1.mga5.noarch
python-django-bash-completion-1.8.7-1.mga5.noarch
python-django-1.8.7-1.mga5.noarch

from python-django-1.8.7-1.mga5.src

Assignee: makowski.mageia => security

Comment 3 David Walser 2015-11-26 16:49:21 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13251#c6

Advisory:
========================

Updated python-django packages fix security vulnerability:

If an application allows users to specify an unvalidated format for dates and
passes this format to the date filter, then a malicious user could obtain any
secret in the application's settings by specifying a settings key instead of a
date format (CVE-2015-8213).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8213
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
http://www.ubuntu.com/usn/usn-2816-1/

Assignee: security => qa-bugs
Whiteboard: (none) => has_procedure

Comment 4 Brian Rockwell 2015-11-28 21:47:19 CET 
No issues with installation or running the application.

[brian@localhost ~]$ python
Python 2.7.9 (default, Dec 14 2014, 10:10:27) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import django
>>> print(django.get_version())
1.8.7
>>>

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 5 Brian Rockwell 2015-11-28 21:52:52 CET 
fyi - did a little bit more:

[brian@localhost pycode]$ django-admin startproject mysite
[brian@localhost pycode]$ ls
mysite/
[brian@localhost pycode]$ cd mysite
[brian@localhost mysite]$ ls
manage.py*  mysite/
[brian@localhost mysite]$ python manage.py migrate
Operations to perform:
  Synchronize unmigrated apps: staticfiles, messages
  Apply all migrations: admin, contenttypes, auth, sessions
Synchronizing apps without migrations:
  Creating tables...
    Running deferred SQL...
  Installing custom SQL...
Running migrations:
  Rendering model states... DONE
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying sessions.0001_initial... OK
[brian@localhost mysite]$
Dave Hodgins 2015-11-29 23:03:30 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-12-05 00:32:23 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0463.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED