Bug 11217 - python-django new security issues CVE-2013-4315 and CVE-2013-1443
: python-django new security issues CVE-2013-4315 and CVE-2013-1443
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566244/
: MGA2TOO mga2-32-ok mga2-64-ok mga3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-11 18:57 CEST by David Walser
Modified: 2013-09-19 11:53 CEST (History)
6 users (show)

See Also:
Source RPM: python-django-1.4.6-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-11 18:57:30 CEST
Debian has issued an advisory today (September 11):
http://lists.debian.org/debian-security-announce/2013/msg00165.html

The issue was fixed upstream in 1.4.7, which was released yesterday:
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2013-09-11 19:22:34 CEST
I take care of it
Comment 2 Philippe Makowski 2013-09-11 20:27:06 CEST
Here the new packages :

python-django-1.4.7-1.mga3.noarch
python-django-1.4.7-1.mga3.src

python-django-1.3.7-1.2.mga2.noarch
python-django-1.3.7-1.2.mga2.src

python-django-doc-1.5.3-1.mga4.noarch
python-django-1.5.3-1.mga4.noarch
python3-django-1.5.3-1.mga4.noarch
python-django-1.5.3-1.mga4.src
Comment 3 David Walser 2013-09-11 20:53:39 CEST
Thanks Philippe!

Advisory:
========================

Updated python-django package fixes security vulnerability:

Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free.  To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
http://www.debian.org/security/2013/dsa-2755
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.2.mga2
python-django-1.4.7-1.mga3

from SRPMS:
python-django-1.3.7-1.2.mga2.src.rpm
python-django-1.4.7-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-09-12 22:34:27 CEST
Advisory 11217.adv committed to svn.
Comment 5 David GEIGER 2013-09-14 07:40:51 CEST
Testing complete mga3_64, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls
__init__.py  settings.py  urls.py  wsgi.py

[david@localhost mysite]$ cd..

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[14/Sep/2013 00:37:51] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 6 David GEIGER 2013-09-14 07:50:13 CEST
Testing complete mga3_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls
__init__.py  settings.py  urls.py  wsgi.py

[david@localhost mysite]$ cd..

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[14/Sep/2013 00:48:45] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 7 David GEIGER 2013-09-14 08:06:50 CEST
Testing complete mga2_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
__init__.py  manage.py  settings.py  urls.py

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[14/Sep/2013 01:05:11] "GET / HTTP/1.1" 200 2051

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 8 Dave Hodgins 2013-09-15 23:50:39 CEST
While the explanation of how to exploit the but is clear, there is no
simple example application, or easy to find instructions of how to
set up a test using the 'ssi' tag, so just testing that python-django
is working.

Testing complete on Mageia 2 x86_64.

Someone from the sysadmin team please push 11217.adv to updates.
Comment 9 David Walser 2013-09-16 14:39:10 CEST
This needs updated again for another security issue, CVE-2013-4315:
https://www.djangoproject.com/weblog/2013/sep/15/security/
http://www.openwall.com/lists/oss-security/2013/09/15/3
Comment 10 David Walser 2013-09-16 14:45:07 CEST
It looks like Oden has already updated this for Mageia 3 and Cauldron, so it just needs an update for Mageia 2.
Comment 11 Philippe Makowski 2013-09-16 16:58:57 CEST
Ok, I will try to backport the patch to python-django-1.3.7 in mga2
from Django 1.4.8
Comment 12 Philippe Makowski 2013-09-16 20:30:35 CEST
I can't backport it, default password hasher in Django, PBKDF2, that is the main point of this security issue (CVE-2013-4315) is not present in Django 1.3.7, it was introduced in Django 1.4.
So IMHO, CVE-2013-4315 don't apply to Django 1.3.7 and thus, mga2 don't need to be updated for this.
Comment 13 David Walser 2013-09-16 20:47:06 CEST
Thanks Philippe!

Advisory (Mageia 2):
========================

Updated python-django package fixes security vulnerability:

Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free.  To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
http://www.debian.org/security/2013/dsa-2755
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.2.mga2

from python-django-1.3.7-1.2.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated python-django package fixes security vulnerabilities:

Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free.  To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).

Django before 1.4.8 allows for denial-of-service attacks through repeated
submission of large passwords, tying up server resources in the expensive
computation of the corresponding hashes (CVE-2013-1443).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
https://www.djangoproject.com/weblog/2013/sep/15/security/
http://www.debian.org/security/2013/dsa-2755
========================

Updated packages in core/updates_testing:
========================
python-django-1.4.8-1.mga3

from python-django-1.4.8-1.mga3.src.rpm
Comment 14 David Walser 2013-09-16 20:49:45 CEST
I've restored the Mageia 2 testing markers, as it was previously validated and has not been updated again.
Comment 15 claire robinson 2013-09-17 11:53:47 CEST
Testing complete mga3 32 & 64
Comment 16 claire robinson 2013-09-17 12:40:09 CEST
Existing advisory split into 11217.adv and 11217.mga3.adv, both are uploaded to svn.

Validating

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 17 David Walser 2013-09-18 20:10:41 CEST
LWN reference for CVE-2013-1443:
http://lwn.net/Vulnerabilities/567275/
Comment 18 Thomas Backlund 2013-09-19 11:53:42 CEST
Mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0283.html

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0284.html

Note You need to log in before you can comment on or make changes to this bug.