| Summary: | python-django new security issues fixed in 1.3.4 and 1.4.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Philippe Makowski <makowski.mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | luigiwalser, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.djangoproject.com/weblog/2012/oct/17/security/ | ||
| Whiteboard: | MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK | ||
| Source RPM: | python-django | CVE: | |
| Status comment: | |||
|
Description
Philippe Makowski
2012-10-18 20:17:28 CEST
Philippe Makowski
2012-10-20 11:41:28 CEST
Version:
Cauldron =>
2
Manuel Hiebel
2012-10-20 20:09:29 CEST
Assignee:
bugsquad =>
shlomif arf packages are here sorry shlomi, philippe can you add a advisory for the QA ? or is https://www.djangoproject.com/weblog/2012/oct/17/security/ enough ? cf https://wiki.mageia.org/en/Updates_policy Assignee:
shlomif =>
bugsquad Suggested advisory: ======================== Updated python-django packages fix security vulnerabilities: The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users. References: https://www.djangoproject.com/weblog/2012/oct/17/security/
Manuel Hiebel
2012-10-27 00:15:14 CEST
Assignee:
bugsquad =>
qa-bugs Previously tested using https://docs.djangoproject.com/en/dev/intro/tutorial01/ Whiteboard:
MGA1TOO =>
MGA1TOO has_procedure This seems to be CVE-2012-4520 could somebody confirm please? Testing complete Mga2 32 Testing basic functionality only. $ mkdir python-django $ cd python-django $ django-admin.py startproject mysite $ cd mysite $ python manage.py runserver Validating models... 0 errors found Django version 1.3.3, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Checked it worked with a browser then quit it with ctrl-c Whiteboard:
MGA1TOO has_procedure =>
MGA1TOO has_procedure mga2-32-OK Testing complete mga2 64 same procedure. Whiteboard:
MGA1TOO has_procedure mga2-32-OK =>
MGA1TOO has_procedure mga2-32-OK mga2-64-OK Testing complete mga1 32 Whiteboard:
MGA1TOO has_procedure mga2-32-OK mga2-64-OK =>
MGA1TOO has_procedure mga1-32-OK mga2-32-OK mga2-64-OK (In reply to comment #4) > This seems to be CVE-2012-4520 could somebody confirm please? Yep, thanks for catching this. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520 CC:
(none) =>
luigiwalser Testing complete mga1 64 Validating Suggested advisory: ======================== Updated python-django packages fix security vulnerabilities: The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users. References: https://www.djangoproject.com/weblog/2012/oct/17/security/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520 =========================== python-django-1.3.4-1.mga1 python-django-1.3.4-1.mga2 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0315 Status:
NEW =>
RESOLVED |