Bug 15045 - python-django new security issues CVE-2015-0219 and CVE-2015-022[0-2]
Summary: python-django new security issues CVE-2015-0219 and CVE-2015-022[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/629475/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-14 19:04 CET by David Walser
Modified: 2015-01-17 23:31 CET (History)
5 users (show)

See Also:
Source RPM: python-django-1.7-4.mga5.src.rpm, python-django14-1.4.15-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-14 19:04:07 CET
Upstream has issued an advisory on January 13:
https://www.djangoproject.com/weblog/2015/jan/13/security/

The issues are fixed in 1.4.18, 1.6.10, and 1.7.3.

Mageia 4 is also affected.

Note that the CVE-2015-0222 issue does not affect python-django14.

Ubuntu has issued an advisory for this on January 13:
http://www.ubuntu.com/usn/usn-2469-1/

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-14 19:04:18 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Philippe Makowski 2015-01-15 15:05:48 CET
python-django14-1.4.18-1.1.mga4 is available

python-django14-1.4.18-1.mga5 and python-django-1.7.3-1.mga5 need a freeze push

python-django-1.5.9-1.1.mga4 will come ASAP, I need to back port patches, since Django 1.5 is no longer receiving security updates from upstream.
Comment 2 David Walser 2015-01-15 16:58:13 CET
Freeze pushes fulfilled in Cauldron.

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4

Comment 3 Philippe Makowski 2015-01-15 21:35:23 CET
python-django-1.5.9-1.1.mga4 is available
Comment 4 David Walser 2015-01-15 22:47:52 CET
Thanks Philippe!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13251#c6

Advisory:
========================

Updated python-django and python-django14  packages fix security vulnerabilities:

Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments (CVE-2015-0219).

Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack (CVE-2015-0220).

Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service (CVE-2015-0221).

Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this issue
to cause a large number of SQL queries, resulting in a database denial of
service. Note that this issue only affected python-django (CVE-2015-0222).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222
https://www.djangoproject.com/weblog/2015/jan/13/security/
http://www.ubuntu.com/usn/usn-2469-1/
========================

Updated packages in core/updates_testing:
========================
python-django14-1.4.18-1.1.mga4
python-django-1.5.9-1.1.mga4
python3-django-1.5.9-1.1.mga4
python-django-doc-1.5.9-1.1.mga4

from SRPMS:
python-django14-1.4.18-1.1.mga4.src.rpm
python-django-1.5.9-1.1.mga4.src.rpm

CC: (none) => makowski.mageia
Assignee: makowski.mageia => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 olivier charles 2015-01-17 11:17:49 CET
Testing on Mageia4x64, real hardware, following procedure mentioned in Comment 4

From current packages :
---------------------
(installed and tested each package separately as they conflict with each other)
python-django-1.5.9-1.mga4

$ django-admin.py startproject mysite
$ cd mysite/
$ python manage.py runserver
Validating models...

0 errors found
January 17, 2015 - 03:57:52
Django version 1.5.9, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[17/Jan/2015 03:58:01] "GET / HTTP/1.1" 200 1957

Browsed to http://localhost:8000/
Which showed :

It worked!
Congratulations on your first Django-powered page.

Killed the server with Ctrl-C
and removed mysite directory.

Did the same with python-django14-1.4.13-1.mga4
OK

Did the same with python3-django-1.5.9-1.mga4, changing commands accordingly
OK

To updated testing packages :
--------------------
python-django-1.5.9-1.1.mga4
python-django14-1.4.18-1.1.mga4
python3-django-1.5.9-1.1.mga4-------

All OK.

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 6 William Kenney 2015-01-17 19:03:37 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python-django & python-django14

default install of python-django

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.9-1.mga4.noarch is already installed

[root@localhost wilcal]# django-admin.py startproject mysite
[root@localhost wilcal]# cd mysite/
[root@localhost mysite]# python manage.py runserver
Validating models...

0 errors found
January 17, 2015 - 11:24:31
Django version 1.5.9, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/

Browsed to http://localhost:8000/
Which showed :

It worked!
Congratulations on your first Django-powered page.

Quit the server with CONTROL-C.

delete mysite

install python-django from updates_testing

[root@localhost wilcal]# urpmi python-django
Package python-django-1.5.9-1.1.mga4.noarch is already installed

[root@localhost wilcal]# django-admin.py startproject mysite
[root@localhost wilcal]# cd mysite/
[root@localhost mysite]# python manage.py runserver
Validating models...

0 errors found
January 17, 2015 - 11:24:31
Django version 1.5.9, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Browsed to http://localhost:8000/
Which showed :

It worked!
Congratulations on your first Django-powered page.

Quit the server with CONTROL-C.

delete mysite

remove python-django

default install of python-django14

[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.14-1.3.mga4.noarch is already installed

[root@localhost wilcal]# django-admin.py startproject mysite
[root@localhost wilcal]# cd mysite/
[root@localhost mysite]# python manage.py runserver
Validating models...

0 errors found
January 17, 2015 - 11:24:31
Django version 1.5.9, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Browsed to http://localhost:8000/
Which showed :

It worked!
Congratulations on your first Django-powered page.

Quit the server with CONTROL-C.

delete mysite

install python-django14 from updates_testing

[root@localhost wilcal]# urpmi python-django14
Package python-django14-1.4.18-1.1.mga4.noarch is already installed

[root@localhost wilcal]# django-admin.py startproject mysite
[root@localhost wilcal]# cd mysite/
[root@localhost mysite]# python manage.py runserver
Validating models...

0 errors found
January 17, 2015 - 11:24:31
Django version 1.5.9, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Browsed to http://localhost:8000/
Which showed :

It worked!
Congratulations on your first Django-powered page.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 7 William Kenney 2015-01-17 19:04:52 CET
This update works fine. Another super job by oliver.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2015-01-17 23:21:27 CET
advisory uploaded

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2015-01-17 23:31:43 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0026.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.