Bug 13963 - python-django new security issues CVE-2014-048[0-3]
Summary: python-django new security issues CVE-2014-048[0-3]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/609502/
Whiteboard: MGA3TOO has_procedure advisory MGA3-...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-08-21 19:30 CEST by David Walser
Modified: 2014-09-05 11:08 CEST (History)
6 users (show)

See Also:
Source RPM: python-django-1.6.5-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-08-21 19:30:39 CEST
Upstream has issued an advisory on August 20:
https://www.djangoproject.com/weblog/2014/aug/20/security/

The issues are fixed upstream in 1.4.14, 1.5.9, and 1.6.6.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-21 19:30:46 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-08-21 20:17:55 CEST
Looks like Philippe built all of the needed updates.

python-django-1.4.14-1.mga3
python-django14-1.4.14-1.1.mga4
python-django-1.5.9-1.mga4
python-django14-1.4.14-1.mga5
python-django-1.6.6-1.mga5

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Philippe Makowski 2014-08-21 20:53:17 CEST
Advisory:
========================

Updated python-django, python3-django and python-django14  packages fix security vulnerabilities:

These releases address an issue with reverse() generating external URLs (CVE-2014-0480); a denial of service involving file uploads  (CVE-2014-0481); a potential session hijacking issue in the remote-user middleware (CVE-2014-0482); and a data leak in the administrative interface (CVE-2014-0483).

References:
https://www.djangoproject.com/weblog/2014/aug/20/security/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483
========================

Updated packages in core/updates_testing:
========================
python-django-1.4.14-1.mga3.noarch

python-django14-1.4.14-1.1.mga4.noarch
python-django-1.5.9-1.mga4.noarch
python3-django-1.5.9-1.mga4.noarch
python-django-doc-1.5.9-1.mga4.noarch

python-django14-1.4.14-1.mga5.noarch
python-django-1.6.6-1.mga5.noarch
python3-django-1.6.6-1.mga5.noarch
python-django-doc-1.6.6-1.mga5.noarch
python-django-bash-completion-1.6.6-1.mga5.noarch


from SRPMS:
python-django-1.4.14-1.mga3
python-django14-1.4.14-1.1.mga4
python-django-1.5.9-1.mga4
python-django14-1.4.14-1.mga5
python-django-1.6.6-1.mga5

Assignee: makowski.mageia => qa-bugs

Comment 3 David Walser 2014-08-21 21:02:40 CEST
Thanks Philippe!

Just one minor adjustment, we just list SRPM names in the header.

Updated python-django and python-django14 packages fix security vulnerabilities:

These releases address an issue with reverse() generating external URLs
(CVE-2014-0480); a denial of service involving file uploads  (CVE-2014-0481);
a potential session hijacking issue in the remote-user middleware
(CVE-2014-0482); and a data leak in the administrative interface
(CVE-2014-0483).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483
https://www.djangoproject.com/weblog/2014/aug/20/security/

CC: (none) => makowski.mageia

Comment 4 Rémi Verschelde 2014-08-23 13:57:36 CEST
https://bugs.mageia.org/show_bug.cgi?id=13251#c6

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 Rémi Verschelde 2014-08-23 13:57:49 CEST
(Above comment is the testing procedure)
Comment 6 stephane FLAVIGNY 2014-08-23 15:01:35 CEST
Testing successfully with the procedure on "MGA4-64-OK"

CC: (none) => megastorage
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 7 Rémi Verschelde 2014-08-23 15:33:08 CEST
Testing on Mageia 4 32bit, there's an issue with python-django14:

$ django1.4-admin startproject mysite && cd mysite
$ python manage.py runserver
Traceback (most recent call last):
  File "manage.py", line 8, in <module>
    from django.core.management import execute_from_command_line
ImportError: No module named django.core.management
Comment 8 stephane FLAVIGNY 2014-08-23 15:34:37 CEST
(In reply to stephane FLAVIGNY from comment #6)
> Testing successfully with the procedure on "MGA4-64-OK"

but Not good with python-django14-1.4.14-1.1.mga4.noarch (I forget it!!)

django1.4-admin startproject mysite
Traceback (most recent call last):
  File "/usr/bin/django1.4-admin", line 4, in <module>
    import pkg_resources
ImportError: No module named pkg_resources

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure

Comment 9 David Walser 2014-08-25 20:02:48 CEST
Debian has issued an advisory for this on August 22:
https://www.debian.org/security/2014/dsa-3010

URL: (none) => http://lwn.net/Vulnerabilities/609502/

Comment 10 William Kenney 2014-08-26 17:25:11 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
python-django

default install of python-django

[root@localhost wilcal]# urpmi python-django
Package python-django-1.4.13-1.mga3.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python-django
Package python-django-1.4.14-1.mga3.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 11 William Kenney 2014-08-26 17:25:31 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
python-django

default install of python-django

[root@localhost wilcal]# urpmi python-django
Package python-django-1.4.13-1.mga3.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost mysite]# urpmi python-django
Package python-django-1.4.14-1.mga3.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-08-26 17:26:02 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 12 Rémi Verschelde 2014-08-26 18:02:05 CEST
Feedback needed on comments 7 and 8 for python-django14 on Mageia 4.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK feedback

Comment 13 William Kenney 2014-08-26 18:23:50 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python-django

default install of python-django

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.8-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.9-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 14 William Kenney 2014-08-26 18:24:08 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python3-django

default install of python3-django

[root@localhost wilcal]# urpmi python3-django
Package python3-django-1.5.8-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python3-django
Package python3-django-1.5.9-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 15 William Kenney 2014-08-26 18:37:12 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python-django14

default install of python-django14

[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.13-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.14-1.1.mga4.noarch is already installed

Testing per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
Fail
[wilcal@localhost public_html]$ django-admin.py startproject mysite
bash: django-admin.py: command not found

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 16 David Walser 2014-08-26 18:42:47 CEST
(In reply to William Kenney from comment #15)
> Package(s) under test:
> python-django14
> 
> [wilcal@localhost public_html]$ django-admin.py startproject mysite
> bash: django-admin.py: command not found

The command is django1.4-admin, as shown in Comment 7.
Comment 17 William Kenney 2014-08-26 18:44:42 CEST
(In reply to William Kenney from comment #15)

Correction to:

> install python-django from updates_testing

Should read:

install python-django14 from updates_testing
Comment 18 William Kenney 2014-08-26 18:45:23 CEST
Testing this thing is a little like the game of Twisters.
Comment 19 Rémi Verschelde 2014-08-26 18:45:47 CEST
A tip for all QA members when you can't find a command: the following command lists all binaries that are provided by the RPM given after "urpmq -l".

$ urpmq -l python-django14 | grep /usr/bin
Comment 20 William Kenney 2014-08-26 19:01:17 CEST
(In reply to David Walser from comment #16)

> (In reply to William Kenney from comment #15)
> > Package(s) under test:
> > python-django14
> > 
> > [wilcal@localhost public_html]$ django-admin.py startproject mysite
> > bash: django-admin.py: command not found
> 
> The command is django1.4-admin, as shown in Comment 7.

[wilcal@localhost public_html]$ django1.4-admin.py startproject mysite && mysite
bash: django1.4-admin.py: command not found

This is not working.
Comment 21 David Walser 2014-08-26 19:05:08 CEST
(In reply to William Kenney from comment #20)
> (In reply to David Walser from comment #16)
> > The command is django1.4-admin, as shown in Comment 7.
> 
> [wilcal@localhost public_html]$ django1.4-admin.py startproject mysite &&
> mysite
> bash: django1.4-admin.py: command not found
> 
> This is not working.

Please re-read my comment and Comment 7.  That is not the correct command.
Comment 22 Rémi Verschelde 2014-08-26 19:08:42 CEST
And once again, using the command in comment 19 you can find out the correct command each time you face such an issue.
Comment 23 William Kenney 2014-08-26 19:29:41 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
python-django

default install of python-django

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.8-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.9-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 24 William Kenney 2014-08-26 19:47:35 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
python3-django

default install of python3-django

[root@localhost wilcal]# urpmi python3-django
Package python3-django-1.5.8-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

install python-django from updates_testing

[root@localhost wilcal]# urpmi python3-django
Package python3-django-1.5.9-1.mga4.noarch is already installed

Works as expected per: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
http://localhost:8000/~wilcal/ "It worked!"

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 25 William Kenney 2014-08-26 19:58:57 CEST
(In reply to Rémi Verschelde from comment #22)

> And once again, using the command in comment 19 you can find out the correct
> command each time you face such an issue.

[wilcal@localhost ~]$ urpmq -l python-django14 | grep /usr/bin
/usr/bin/django-admin.py
/usr/bin/django-admin.py
/usr/bin/django-admin.py
/usr/bin/django1.4-admin

[wilcal@localhost public_html]$ django-admin.py startproject mysite
bash: django-admin.py: command not found

[wilcal@localhost public_html]$ django1.4-admin.py startproject mysite
bash: django1.4-admin.py: command not found
Comment 26 David Walser 2014-08-26 20:09:02 CEST
(In reply to William Kenney from comment #25)
> (In reply to Rémi Verschelde from comment #22)
> 
> > And once again, using the command in comment 19 you can find out the correct
> > command each time you face such an issue.
> 
> [wilcal@localhost ~]$ urpmq -l python-django14 | grep /usr/bin
> /usr/bin/django-admin.py
> /usr/bin/django-admin.py
> /usr/bin/django-admin.py
> /usr/bin/django1.4-admin
> 
> [wilcal@localhost public_html]$ django-admin.py startproject mysite
> bash: django-admin.py: command not found
> 
> [wilcal@localhost public_html]$ django1.4-admin.py startproject mysite
> bash: django1.4-admin.py: command not found

I'm not sure what the difficulty is here.  If you read the output of the command that you just executed, you'll see that the command name is django1.4-admin, not django1.4-admin.py.
Comment 27 William Kenney 2014-08-26 20:46:18 CEST
(In reply to David Walser from comment #26)

> I'm not sure what the difficulty is here.  If you read the output of the
> command that you just executed, you'll see that the command name is
> django1.4-admin, not django1.4-admin.py.

[root@localhost public_html]# urpmi python-django14
Package python-django14-1.4.14-1.1.mga4.noarch is already installed

[wilcal@localhost public_html]$ django1.4-admin startproject mysite
Traceback (most recent call last):
  File "/usr/bin/django1.4-admin", line 4, in <module>
    import pkg_resources
ImportError: No module named pkg_resources
[wilcal@localhost public_html]$ django1.4-admin startproject mysite && mysite
Traceback (most recent call last):
  File "/usr/bin/django1.4-admin", line 4, in <module>
    import pkg_resources
ImportError: No module named pkg_resources
Comment 28 David Walser 2014-08-26 21:00:30 CEST
Cool, so that's the same error as in Comment 8.

Try installing python-pkg-resources (it's a missing dependency) and trying it again.
Comment 29 William Kenney 2014-08-26 21:45:06 CEST
[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.13-1.mga4.noarch is already installed

[wilcal@localhost ~]$ cd public_html
[wilcal@localhost public_html]$ django-admin.py startproject mysite
[wilcal@localhost public_html]$ cd mysite
[wilcal@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.13, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[26/Aug/2014 14:32:03] "GET /~wilcal/ HTTP/1.1" 200 1957

That all works just fine.

[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.14-1.1.mga4.noarch is already installed

[wilcal@localhost ~]$ cd public_html
[wilcal@localhost public_html]$ django-admin.py startproject mysite
bash: django-admin.py: command not found
[wilcal@localhost public_html]$ django1.4-admin startproject mysite
Traceback (most recent call last):
  File "/usr/bin/django1.4-admin", line 4, in <module>
    import pkg_resources
ImportError: No module named pkg_resources
[wilcal@localhost public_html]$ django1.4-admin startproject mysite && mysite
Traceback (most recent call last):
  File "/usr/bin/django1.4-admin", line 4, in <module>
    import pkg_resources
ImportError: No module named pkg_resources
[wilcal@localhost public_html]$ python-django-admin.py startproject mysite
bash: python-django-admin.py: command not found
[wilcal@localhost public_html]$ python1.4-django-admin.py startproject mysite
bash: python1.4-django-admin.py: command not found
[wilcal@localhost public_html]$ python1.4-django-admin startproject mysite
bash: python1.4-django-admin: command not found

[wilcal@localhost public_html]$ urpmq -l python-django14 | grep /usr/bin
    http://192.168.1.2:8080/~mageia/repo/distrib/4/i586/media/core/release/media_info/20140129-225217-files.xml.lzma
    http://192.168.1.2:8080/~mageia/repo/distrib/4/i586/media/core/updates/media_info/20140825-083844-files.xml.lzma
    http://192.168.1.2:8080/~mageia/repo/distrib/4/i586/media/core/updates_testing/media_info/20140825-182531-files.xml.lzma
/usr/bin/django-admin.py
/usr/bin/django-admin.py
/usr/bin/django-admin.py
/usr/bin/django1.4-admin

So something has changed the command to something other then "django-admin.py startproject mysite" or whatever.
Whatever it is I donno. The above arn't working.

Does not take long to generate another Vbox client to test.

Back to you shortly on the python-pkg-resources thingy.
Comment 30 William Kenney 2014-08-26 21:52:30 CEST
[root@localhost wilcal]# urpmi python-pkg-resources
Package python-pkg-resources-1.3-1.1.mga4.noarch is already installed

[wilcal@localhost public_html]$ django1.4-admin startproject mysite
now created the mysite directory and no errors.

but...

[wilcal@localhost mysite]$ python manage.py runserver
Traceback (most recent call last):
  File "manage.py", line 8, in <module>
    from django.core.management import execute_from_command_line
ImportError: No module named django.core.management
Comment 31 David Walser 2014-08-26 22:08:30 CEST
Cool, that matches Comment 7.  Looking at the SVN diff for this update, I see that this is missing completely now (in %files):
%{python_sitelib}/%{module}
Comment 32 Rémi Verschelde 2014-08-26 22:20:46 CEST
Just for the reference, I realise now that the "urpmq -l" command I gave was not that helpful: it lists the binaries from all python-django14 packages, so including the ones in Core Release and in Core Updates.

To know the binaries included in the update candidate, use:
urpmq -l python-django14 --media "testing" | grep /usr/bin

Sorry for the confusion :-)
Comment 33 William Kenney 2014-08-26 22:37:33 CEST
(In reply to Rémi Verschelde from comment #32)

> To know the binaries included in the update candidate, use:
> urpmq -l python-django14 --media "testing" | grep /usr/bin

Here goes:

[wilcal@localhost ~]$ urpmq -l python-django14 --media "testing" | grep /usr/bin
    http://192.168.1.2:8080/~mageia/repo/distrib/4/i586/media/core/updates_testing/media_info/20140825-182531-files.xml.lzma
/usr/bin/django1.4-admin


> Sorry for the confusion :-)

Not a problem.

I'm done for today. I'll be poken at updates again tomorrow for awhile.
Comment 34 claire robinson 2014-08-26 22:39:55 CEST
Good poken today Bill :)
Comment 35 Rémi Verschelde 2014-08-27 16:16:15 CEST
Philippe, can you have a look at the issue diagnosed in comment 31?
Comment 36 Philippe Makowski 2014-08-30 16:29:49 CEST
The only issue is the missing dependency on python-pkg-resources, the other "error" is expected.

You have many solution to use such module like django1.4, 

the first one is :
$ django1.4-admin startproject mysite && cd mysite
[philippe@localhost mysite]$ pwd
/home/philippe/public_html/mysite
$ django1.4-admin runserver --settings="mysite.settings" --pythonpath="/home/philippe/public_html/mysite"
Validating models...

0 errors found
Django version 1.4.14, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

The second one is to edit manage.py, to tell that you want to use Django 1.4, so it looks like :
$ cat manage.py
#!/usr/bin/env python
import os
import sys
import __main__
__main__.__requires__ = ['Django >= 1.4, < 1.5']
import pkg_resources

if __name__ == "__main__":
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mysite.settings")

    from django.core.management import execute_from_command_line

    execute_from_command_line(sys.argv)


so then you can do :
$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.14, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.



Advisory:
========================

Updated python-django and python-django14 packages fix security vulnerabilities:

These releases address an issue with reverse() generating external URLs
(CVE-2014-0480); a denial of service involving file uploads  (CVE-2014-0481);
a potential session hijacking issue in the remote-user middleware
(CVE-2014-0482); and a data leak in the administrative interface
(CVE-2014-0483).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483
https://www.djangoproject.com/weblog/2014/aug/20/security/
========================

Updated packages in core/updates_testing:
========================
python-django-1.4.14-1.mga3.noarch

python-django14-1.4.14-1.2.mga4.noarch
python-django-1.5.9-1.mga4.noarch
python3-django-1.5.9-1.mga4.noarch
python-django-doc-1.5.9-1.mga4.noarch

python-django14-1.4.14-2.mga5.noarch
python-django-1.6.6-1.mga5.noarch
python3-django-1.6.6-1.mga5.noarch
python-django-doc-1.6.6-1.mga5.noarch
python-django-bash-completion-1.6.6-1.mga5.noarch


from SRPMS:
python-django-1.4.14-1.mga3
python-django14-1.4.14-1.2.mga4
python-django-1.5.9-1.mga4
python-django14-1.4.14-2.mga5
python-django-1.6.6-1.mga5
David Walser 2014-08-30 17:14:44 CEST

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK feedback => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 37 Rémi Verschelde 2014-09-01 09:34:59 CEST
Note that only python-django14 needs to be tested on Mageia 4 before we can validate this update.
Comment 38 Lewis Smith 2014-09-01 22:56:04 CEST
(In reply to Rémi Verschelde from comment #37)
> Note that only python-django14 needs to be tested on Mageia 4 before we can
> validate this update.
testing MGA4 x64 real hardware. Gratefully *just* python-django14.

Installed this from release media, 
 $ urpmq -l python-django14 | grep /usr/bin
 /usr/bin/django-admin.py
Followed exactly the test procedure from
 https://bugs.mageia.org/show_bug.cgi?id=13251#c6
To summarise:-
 $ django-admin.py startproject mysite
 $ cd mysite/
 $ python manage.py runserver
Output ended with:
 Quit the server with CONTROL-C.
 [01/Sep/2014 15:07:39] "GET / HTTP/1.1" 200 1957

Visit in a browser at http://localhost:8000 to see "It Works" message and then kill the server with ctrl-c. All this OK.
 $ cd .. ; rm -rf mysite

Updated from Updates Testing to:-
 python-django14-1.4.14-1.2.mga4
The command given in Comment 32 yielded (note the difference from above):-
 /usr/bin/django1.4-admin
This time the procedure above is replaced by that from Comment 36:-
 $ django1.4-admin startproject mysite
 $ cd mysite/ ; pwd
 /home/lewis/mysite
 $ django1.4-admin runserver --settings="mysite.settings" --pythonpath="/home/lewis/mysite"
 Validating models... etc now ends just:
 Quit the server with CONTROL-C.
Then the browser test as above was OK.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK

Comment 39 claire robinson 2014-09-02 15:26:33 CEST
This update currently changes the executable for python-django14, Philippe, which is a regression in mga4 and will cause breakage for existing users.

# urpmf --media "Core Updates" python-django14 | grep usr/bin
python-django14:/usr/bin/django-admin.py
python-django14:/usr/bin/django-admin.py

# urpmf --media "Core Updates Testing" python-django14 | grep usr/bin
python-django14:/usr/bin/django1.4-admin


I am removing the OK's for mga4, sorry, and adding feedback marker for now.
Can you please have another look at this, thanks.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO feedback has_procedure MGA3-32-OK MGA3-64-OK

Comment 40 Philippe Makowski 2014-09-02 20:36:44 CEST
(In reply to claire robinson from comment #39)
> This update currently changes the executable for python-django14, Philippe,
> which is a regression in mga4 and will cause breakage for existing users.
> 
Not really a regression, since this allow to have django14 and django15 at the same time, but I understand what you mean
> 
> I am removing the OK's for mga4, sorry, and adding feedback marker for now.
> Can you please have another look at this, thanks.

of course, I can revert some changes and make back the conflict between django14 and django15.
Comment 41 Philippe Makowski 2014-09-02 21:39:40 CEST
python-django14-1.4.14-1.3.mga4 in testing

Whiteboard: MGA3TOO feedback has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 42 David Walser 2014-09-02 21:46:04 CEST
For those testing, the command name has changed back to django-admin.py and the missing stuff reported in Comment 7 has been restored.  Hopefully it doesn't still need pkg-resources, as that Requires has been removed.
Comment 43 claire robinson 2014-09-03 15:52:33 CEST
Thanks Philippe.

Testing complete mga4 32 & 64

Validating. Advisory from comment 36 uploaded with srpm from comment 41.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

claire robinson 2014-09-03 15:52:44 CEST

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok

Comment 44 Mageia Robot 2014-09-05 11:08:30 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0366.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.