Bug 9189

Summary: python-django new security issues fixed in 1.3.6 and 1.4.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, makowski.mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/540268/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: python-django-1.3.5-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-02-26 22:27:11 CET 
Upstream has released 1.3.6 and 1.4.4 to fix security issues:
https://www.djangoproject.com/weblog/2013/feb/19/security/

Mageia 2 and Cauldron are both affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-02-26 22:27:36 CET

CC: (none) => makowski.mageia

David Walser 2013-02-26 22:28:09 CET

CC: (none) => dmorganec
Assignee: bugsquad => makowski.mageia

Comment 1 David Walser 2013-02-26 23:46:37 CET 
Fixed in Cauldron by D Morgan, now we just need to update Mageia 2.

Version: Cauldron => 2

Comment 2 David Walser 2013-02-27 18:45:47 CET 
Debian has issued an advisory for this today (February 27):
http://www.debian.org/security/2013/dsa-2634

URL: (none) => http://lwn.net/Vulnerabilities/540268/

Comment 3 Philippe Makowski 2013-02-27 20:17:33 CET 
Fixed in Mageia 2  python-django-1.3.7-1.mga2
Comment 4 David Walser 2013-02-27 20:30:51 CET 
Thanks Philippe!

Advisory:
========================

Updated python-django packages fix security vulnerabilities:

Orange Tsai discovered that the bundled administrative interface of django
could expose supposedly-hidden information via its history log (CVE-2013-0305).

Mozilla discovered that an attacker can abuse django's tracking of the number
of forms in a formset to cause a denial-of-service attack due to extreme memory
consumption (CVE-2013-0306).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0306
https://www.djangoproject.com/weblog/2013/feb/19/security/
http://www.debian.org/security/2013/dsa-2634
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.mga2

from python-django-1.3.7-1.mga2.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 5 Dave Hodgins 2013-02-28 05:31:23 CET 
No poc, so just testing update with ...
# urpmi python-django
$ mkdir django
$ cd django
$ django-admin.py startproject mysite
$ cd mysite
$ python manage.py runserver 8080
Then browse to http://127.0.0.1:8080 in a web browser.

Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
python-django-1.3.7-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated python-django packages fix security vulnerabilities:

Orange Tsai discovered that the bundled administrative interface of django
could expose supposedly-hidden information via its history log (CVE-2013-0305).

Mozilla discovered that an attacker can abuse django's tracking of the number
of forms in a formset to cause a denial-of-service attack due to extreme memory
consumption (CVE-2013-0306).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0306
https://www.djangoproject.com/weblog/2013/feb/19/security/
http://www.debian.org/security/2013/dsa-2634

https://bugs.mageia.org/show_bug.cgi?id=9189

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 6 Thomas Backlund 2013-03-01 22:22:27 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0076

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED