Bug 13251 - python-django new security issues CVE-2014-047[2-4]
: python-django new security issues CVE-2014-047[2-4]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/595636/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-04-22 18:43 CEST by David Walser
Modified: 2015-11-28 21:34 CET (History)
4 users (show)

See Also:
Source RPM: python-django-1.6.2-1.mga5.src.rpm
CVE:


Attachments

Description David Walser 2014-04-22 18:43:24 CEST
Ubuntu has issued an advisory today (April 22):
http://www.ubuntu.com/usn/usn-2169-1/

The issues are fixed upstream in 1.4.11, 1.5.6, and 1.6.3.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-04-22 23:32:53 CEST
Advisory:
========================

Updated python-django and python-dgango14 packages fix security vulnerabilities:

Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue
to cause Django to import arbitrary modules from the Python path, resulting
in possible code execution. (CVE-2014-0472)

Paul McMillan discovered that Django incorrectly cached certain pages that
contained CSRF cookies. An attacker could possibly use this flaw to obtain
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)

Michael Koziarski discovered that Django did not always perform explicit
conversion of certain fields when using a MySQL database. An attacker
could possibly use this issue to obtain unexpected results. (CVE-2014-0474)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
https://www.djangoproject.com/weblog/2014/apr/21/security/
http://www.ubuntu.com/usn/usn-2169-1/
========================

Updated packages in core/updates_testing:
========================
python-django-1.5.6-1.mga4.noarch
python3-django-1.5.6-1.mga4.noarch
python-django-doc-1.5.6-1.mga4.noarch
python-django14-1.4.11-1.mga4.noarch
python-django-1.4.11-1.mga3.noarch


from SRPMS:
python-django-1.5.6-1.mga4
python-django14-1.4.11-1.mga4
python-django-1.4.11-1.mga3

For Cauldron : python-django14-1.4.11-2.mga5 python-django-1.6.3-1.mga5
Comment 2 David Walser 2014-04-23 18:16:00 CEST
There may be an additional patch needed, due to an upstream regression, according to the updated Ubuntu advisory:
http://www.ubuntu.com/usn/usn-2169-2/
Comment 3 Philippe Makowski 2014-04-23 21:31:35 CEST
hum, this one https://code.djangoproject.com/ticket/22486
so let reassign the bug to me
Comment 4 Philippe Makowski 2014-04-24 22:37:59 CEST
Updated packages in core/updates_testing:
========================
python-django-1.5.6-1.1.mga4.noarch
python3-django-1.5.6-1.1.mga4.noarch
python-django-doc-1.5.6-1.1.mga4.noarch
python-django14-1.4.11-1.1.mga4.noarch
python-django-1.4.11-1.1.mga3.noarch


from SRPMS:
python-django-1.5.6-1.1.mga4
python-django14-1.4.11-1.1.mga4
python-django-1.4.11-1.1.mga3

For Cauldron : python-django14-1.4.11-3.mga5 python-django-1.6.3-2.mga5
Comment 5 claire robinson 2014-04-28 15:26:01 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10996#c9

I see we now have three versions of this in mga4 though (including python3 which will be slightly different) :(
Comment 6 claire robinson 2014-04-28 15:46:08 CEST
python-django and python-django14 conflict so can't be installed together, testing is the same for each of these. eg..

$ django-admin.py startproject mysite
$ cd mysite/
$ python manage.py runserver
Validating models...

0 errors found
April 28, 2014 - 08:30:48
Django version 1.5.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[28/Apr/2014 08:31:05] "GET / HTTP/1.1" 200 1957

Visit in a browser at http://localhost:8000 to see "It Works" message and then kill the server with ctrl-c

$ cd ..
$ rm -rf mysite


For python3-django..

$ python3-django-admin.py startproject mysite
$ cd mysite
$ python3 manage.py runserver
Validating models...

0 errors found
April 28, 2014 - 08:44:17
Django version 1.5.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[28/Apr/2014 08:44:27] "GET / HTTP/1.1" 200 1957
^C

$ cd ..
$ rm -rf mysite
Comment 7 claire robinson 2014-04-28 15:55:16 CEST
Testing complete mga4 32
Comment 8 claire robinson 2014-04-28 16:39:14 CEST
Testing complete mga3 32
Comment 9 claire robinson 2014-04-28 16:53:32 CEST
Testing complete mga3 64
Comment 10 claire robinson 2014-04-28 17:01:37 CEST
Validating. 13251.adv added to svn.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 11 Damien Lallement 2014-04-28 17:55:26 CEST
http://advisories.mageia.org/MGASA-2014-0196.html
Comment 12 William Kenney 2015-11-28 18:39:50 CET
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
python3-django

default install of python3-django

[root@localhost wilcal]# urpmi python3-django
Package python3-django-1.8.4-1.mga5.noarch is already installed

Test proceedure from 13251#c6 starts as follows:
$ django-admin.py startproject mysite
$ cd mysite/
$ python manage.py runserver
Validating models...

Results in the following:

[wilcal@localhost ~]$ django-admin.py startproject mysite
bash: django-admin.py: command not found

Where am I going wrong?
Comment 13 David Walser 2015-11-28 19:50:05 CET
(In reply to William Kenney from comment #12)
> Where am I going wrong?

Drop the .py at the end of the command, it's not there anymore.
Comment 14 Philippe Makowski 2015-11-28 21:34:34 CET
(In reply to William Kenney from comment #12)
> In VirtualBox, M5, KDE, 32-bit
> 
> Package(s) under test:
> python3-django
> 
> default install of python3-django
> 
> [root@localhost wilcal]# urpmi python3-django

> 
> [wilcal@localhost ~]$ django-admin.py startproject mysite
> bash: django-admin.py: command not found
> 
> Where am I going wrong?

you installed python3-django, so you need to use python3-django-admin
and if you install python-django, the it is django-admin

Note You need to log in before you can comment on or make changes to this bug.