Upstream has issued an advisory on January 13: https://www.djangoproject.com/weblog/2015/jan/13/security/ The issues are fixed in 1.4.18, 1.6.10, and 1.7.3. Mageia 4 is also affected. Note that the CVE-2015-0222 issue does not affect python-django14. Ubuntu has issued an advisory for this on January 13: http://www.ubuntu.com/usn/usn-2469-1/ Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
python-django14-1.4.18-1.1.mga4 is available python-django14-1.4.18-1.mga5 and python-django-1.7.3-1.mga5 need a freeze push python-django-1.5.9-1.1.mga4 will come ASAP, I need to back port patches, since Django 1.5 is no longer receiving security updates from upstream.
Freeze pushes fulfilled in Cauldron.
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4
python-django-1.5.9-1.1.mga4 is available
Thanks Philippe! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django and python-django14 packages fix security vulnerabilities: Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments (CVE-2015-0219). Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack (CVE-2015-0220). Alex Gaynor discovered that Django incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service (CVE-2015-0221). Keryn Knight discovered that Django incorrectly handled forms with ModelMultipleChoiceField. A remote attacker could possibly use this issue to cause a large number of SQL queries, resulting in a database denial of service. Note that this issue only affected python-django (CVE-2015-0222). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222 https://www.djangoproject.com/weblog/2015/jan/13/security/ http://www.ubuntu.com/usn/usn-2469-1/ ======================== Updated packages in core/updates_testing: ======================== python-django14-1.4.18-1.1.mga4 python-django-1.5.9-1.1.mga4 python3-django-1.5.9-1.1.mga4 python-django-doc-1.5.9-1.1.mga4 from SRPMS: python-django14-1.4.18-1.1.mga4.src.rpm python-django-1.5.9-1.1.mga4.src.rpm
CC: (none) => makowski.mageiaAssignee: makowski.mageia => qa-bugsWhiteboard: (none) => has_procedure
Testing on Mageia4x64, real hardware, following procedure mentioned in Comment 4 From current packages : --------------------- (installed and tested each package separately as they conflict with each other) python-django-1.5.9-1.mga4 $ django-admin.py startproject mysite $ cd mysite/ $ python manage.py runserver Validating models... 0 errors found January 17, 2015 - 03:57:52 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [17/Jan/2015 03:58:01] "GET / HTTP/1.1" 200 1957 Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Killed the server with Ctrl-C and removed mysite directory. Did the same with python-django14-1.4.13-1.mga4 OK Did the same with python3-django-1.5.9-1.mga4, changing commands accordingly OK To updated testing packages : -------------------- python-django-1.5.9-1.1.mga4 python-django14-1.4.18-1.1.mga4 python3-django-1.5.9-1.1.mga4------- All OK.
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: python-django & python-django14 default install of python-django [root@localhost wilcal]# urpmi python-django Package python-django-1.5.9-1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite install python-django from updates_testing [root@localhost wilcal]# urpmi python-django Package python-django-1.5.9-1.1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite remove python-django default install of python-django14 [root@localhost wilcal]# urpmi python-django14 Package python-django14-1.4.14-1.3.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Quit the server with CONTROL-C. delete mysite install python-django14 from updates_testing [root@localhost wilcal]# urpmi python-django14 Package python-django14-1.4.18-1.1.mga4.noarch is already installed [root@localhost wilcal]# django-admin.py startproject mysite [root@localhost wilcal]# cd mysite/ [root@localhost mysite]# python manage.py runserver Validating models... 0 errors found January 17, 2015 - 11:24:31 Django version 1.5.9, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Browsed to http://localhost:8000/ Which showed : It worked! Congratulations on your first Django-powered page. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
This update works fine. Another super job by oliver. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
advisory uploaded
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => tmb
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0026.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED