Debian has issued an advisory today (September 11): http://lists.debian.org/debian-security-announce/2013/msg00165.html The issue was fixed upstream in 1.4.7, which was released yesterday: https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA3TOO, MGA2TOO
I take care of it
Here the new packages : python-django-1.4.7-1.mga3.noarch python-django-1.4.7-1.mga3.src python-django-1.3.7-1.2.mga2.noarch python-django-1.3.7-1.2.mga2.src python-django-doc-1.5.3-1.mga4.noarch python-django-1.5.3-1.mga4.noarch python3-django-1.5.3-1.mga4.noarch python-django-1.5.3-1.mga4.src
Thanks Philippe! Advisory: ======================== Updated python-django package fixes security vulnerability: Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag (CVE-2013-4315). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ http://www.debian.org/security/2013/dsa-2755 ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.7-1.2.mga2 python-django-1.4.7-1.mga3 from SRPMS: python-django-1.3.7-1.2.mga2.src.rpm python-django-1.4.7-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Advisory 11217.adv committed to svn.
CC: (none) => davidwhodgins
Testing complete mga3_64, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ cd.. [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 00:37:51] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
CC: (none) => geiger.david68210
Testing complete mga3_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ cd.. [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 00:48:45] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok mga3-32-ok
Testing complete mga2_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls __init__.py manage.py settings.py urls.py [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.3.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [14/Sep/2013 01:05:11] "GET / HTTP/1.1" 200 2051 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok
While the explanation of how to exploit the but is clear, there is no simple example application, or easy to find instructions of how to set up a test using the 'ssi' tag, so just testing that python-django is working. Testing complete on Mageia 2 x86_64. Someone from the sysadmin team please push 11217.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
This needs updated again for another security issue, CVE-2013-4315: https://www.djangoproject.com/weblog/2013/sep/15/security/ http://www.openwall.com/lists/oss-security/2013/09/15/3
Keywords: validated_update => (none)CC: (none) => qa-bugsAssignee: qa-bugs => makowski.mageiaSummary: python-django new security issue CVE-2013-4315 => python-django new security issues CVE-2013-4315 and CVE-2013-1443Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok => MGA2TOO
It looks like Oden has already updated this for Mageia 3 and Cauldron, so it just needs an update for Mageia 2.
Ok, I will try to backport the patch to python-django-1.3.7 in mga2 from Django 1.4.8
I can't backport it, default password hasher in Django, PBKDF2, that is the main point of this security issue (CVE-2013-4315) is not present in Django 1.3.7, it was introduced in Django 1.4. So IMHO, CVE-2013-4315 don't apply to Django 1.3.7 and thus, mga2 don't need to be updated for this.
Thanks Philippe! Advisory (Mageia 2): ======================== Updated python-django package fixes security vulnerability: Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag (CVE-2013-4315). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ http://www.debian.org/security/2013/dsa-2755 ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.7-1.2.mga2 from python-django-1.3.7-1.2.mga2.src.rpm Advisory (Mageia 3): ======================== Updated python-django package fixes security vulnerabilities: Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag (CVE-2013-4315). Django before 1.4.8 allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes (CVE-2013-1443). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ https://www.djangoproject.com/weblog/2013/sep/15/security/ http://www.debian.org/security/2013/dsa-2755 ======================== Updated packages in core/updates_testing: ======================== python-django-1.4.8-1.mga3 from python-django-1.4.8-1.mga3.src.rpm
Assignee: makowski.mageia => qa-bugs
I've restored the Mageia 2 testing markers, as it was previously validated and has not been updated again.
Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Existing advisory split into 11217.adv and 11217.mga3.adv, both are uploaded to svn. Validating Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_update
LWN reference for CVE-2013-1443: http://lwn.net/Vulnerabilities/567275/
Mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0283.html Mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0284.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED