Ubuntu has issued an advisory today (April 22): http://www.ubuntu.com/usn/usn-2169-1/ The issues are fixed upstream in 1.4.11, 1.5.6, and 1.6.3. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Advisory: ======================== Updated python-django and python-dgango14 packages fix security vulnerabilities: Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472) Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. (CVE-2014-0473) Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. (CVE-2014-0474) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474 https://www.djangoproject.com/weblog/2014/apr/21/security/ http://www.ubuntu.com/usn/usn-2169-1/ ======================== Updated packages in core/updates_testing: ======================== python-django-1.5.6-1.mga4.noarch python3-django-1.5.6-1.mga4.noarch python-django-doc-1.5.6-1.mga4.noarch python-django14-1.4.11-1.mga4.noarch python-django-1.4.11-1.mga3.noarch from SRPMS: python-django-1.5.6-1.mga4 python-django14-1.4.11-1.mga4 python-django-1.4.11-1.mga3 For Cauldron : python-django14-1.4.11-2.mga5 python-django-1.6.3-1.mga5
Assignee: makowski.mageia => qa-bugs
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
There may be an additional patch needed, due to an upstream regression, according to the updated Ubuntu advisory: http://www.ubuntu.com/usn/usn-2169-2/
hum, this one https://code.djangoproject.com/ticket/22486 so let reassign the bug to me
CC: (none) => makowski.mageiaAssignee: qa-bugs => makowski.mageia
Updated packages in core/updates_testing: ======================== python-django-1.5.6-1.1.mga4.noarch python3-django-1.5.6-1.1.mga4.noarch python-django-doc-1.5.6-1.1.mga4.noarch python-django14-1.4.11-1.1.mga4.noarch python-django-1.4.11-1.1.mga3.noarch from SRPMS: python-django-1.5.6-1.1.mga4 python-django14-1.4.11-1.1.mga4 python-django-1.4.11-1.1.mga3 For Cauldron : python-django14-1.4.11-3.mga5 python-django-1.6.3-2.mga5
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10996#c9 I see we now have three versions of this in mga4 though (including python3 which will be slightly different) :(
python-django and python-django14 conflict so can't be installed together, testing is the same for each of these. eg.. $ django-admin.py startproject mysite $ cd mysite/ $ python manage.py runserver Validating models... 0 errors found April 28, 2014 - 08:30:48 Django version 1.5.6, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [28/Apr/2014 08:31:05] "GET / HTTP/1.1" 200 1957 Visit in a browser at http://localhost:8000 to see "It Works" message and then kill the server with ctrl-c $ cd .. $ rm -rf mysite For python3-django.. $ python3-django-admin.py startproject mysite $ cd mysite $ python3 manage.py runserver Validating models... 0 errors found April 28, 2014 - 08:44:17 Django version 1.5.6, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [28/Apr/2014 08:44:27] "GET / HTTP/1.1" 200 1957 ^C $ cd .. $ rm -rf mysite
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. 13251.adv added to svn. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0196.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
In VirtualBox, M5, KDE, 32-bit Package(s) under test: python3-django default install of python3-django [root@localhost wilcal]# urpmi python3-django Package python3-django-1.8.4-1.mga5.noarch is already installed Test proceedure from 13251#c6 starts as follows: $ django-admin.py startproject mysite $ cd mysite/ $ python manage.py runserver Validating models... Results in the following: [wilcal@localhost ~]$ django-admin.py startproject mysite bash: django-admin.py: command not found Where am I going wrong?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #12) > Where am I going wrong? Drop the .py at the end of the command, it's not there anymore.
(In reply to William Kenney from comment #12) > In VirtualBox, M5, KDE, 32-bit > > Package(s) under test: > python3-django > > default install of python3-django > > [root@localhost wilcal]# urpmi python3-django > > [wilcal@localhost ~]$ django-admin.py startproject mysite > bash: django-admin.py: command not found > > Where am I going wrong? you installed python3-django, so you need to use python3-django-admin and if you install python-django, the it is django-admin