Upstream has issued an advisory on May 14: https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ The issues are fixed upstream in 1.4.13, 1.5.8, and 1.6.5. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
fixed with python-django-1.4.13-1.mga3, python-django-1.5.8-1.mga4 & python-django-1.5.8-1.mga4.
CC: (none) => oe
Thanks Oden! Unfortunately we currently have multiple Django versions packaged, so there's also a python-django14 SRPM in Mageia 4 and Cauldron which need to be updated as well.
Ubuntu has issued an advisory for this on May 14: http://www.ubuntu.com/usn/usn-2212-1/
URL: (none) => http://lwn.net/Vulnerabilities/598863/
fixed too in python-django14-1.4.13-1.mga4 and python-django14-1.4.13-2.mga5
Thanks Philippe (and Oden)! Advisory: ======================== Updated python-django and python-dgango14 packages fix security vulnerabilities: Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7 (CVE-2014-1418). Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. An attacker may use this to cause unexpected redirects (CVE-2014-3730). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730 https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ http://www.ubuntu.com/usn/usn-2212-1/ ======================== Updated packages in core/updates_testing: ======================== python-django-1.4.13-1.mga3 python-django-1.5.8-1.mga4 python3-django-1.5.8-1.mga4 python-django-doc-1.5.8-1.mga4 python-django14-1.4.13-1.mga4 from SRPMS: python-django-1.4.13-1.mga3.src.rpm python-django-1.5.8-1.mga4.src.rpm python-django14-1.4.13-1.mga4.src.rpm
CC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
Whiteboard: MGA3TOO => MGA3TOO has_procedure
test ok on mga3-64
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok
test ok on mga4-64
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0231.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for CVE-2014-3730: http://lwn.net/Vulnerabilities/599626/