Upstream has issued advisories on March 9 and March 18: https://www.djangoproject.com/weblog/2015/mar/09/security-releases/ https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ The issues are fixed upstream in 1.4.20, 1.7.6, and 1.7.7. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
python-django14-1.4.20-2.mga5 in cauldron core/updates_testing uploaded python-django-1.7.7-1.mga5 in cauldron core/updates_testing uploaded python-django-1.5.9-1.2.mga4 in 4 core/updates_testing uploaded python-django14-1.4.20-1.mga4 in 4 core/updates_testing uploaded
Assignee: makowski.mageia => qa-bugs
Thanks Philippe! We'll also need either to bump the release tags in Cauldron and ask for a freeze push, or just ask for the sysadmins to move the packages from core/updates_testing to core/release.
CC: (none) => makowski.mageia
Assigning back to Philippe for now until these are pushed in Cauldron.
CC: (none) => qa-bugsAssignee: qa-bugs => makowski.mageia
python-django-1.7.7-2.mga5 and python-django14-1.4.20-3.mga5 uploaded for Cauldron. Assigning the Mageia 4 update to QA. Advisory to come later.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django and python-django14 packages fix security vulnerabilities: The ModelAdmin.readonly_fields attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks (CVE-2015-2241). Django relies on user input in some cases to redirect the user to an "on success" URL. The security checks for these redirects accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, however, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href (CVE-2015-2317). Note that the CVE-2015-2241 issue does not affect python-django14 directly, but client code using it may be affected. Please see the March 9th upstream advisory for more information on this. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2317 https://www.djangoproject.com/weblog/2015/mar/09/security-releases/ https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ ======================== Updated packages in core/updates_testing: ======================== python-django14-1.4.20-1.mga4 python-django-1.5.9-1.2.mga4 python3-django-1.5.9-1.2.mga4 python-django-doc-1.5.9-1.2.mga4 from SRPMS: python-django14-1.4.20-1.mga4.src.rpm python-django-1.5.9-1.2.mga4.src.rpm
Whiteboard: (none) => has_procedure
Oops, forgot to assign back to QA. See Comment 5.
CC: qa-bugs => (none)Assignee: makowski.mageia => qa-bugs
Ubuntu has issued an advisory for this on March 23: http://www.ubuntu.com/usn/usn-2539-1/
URL: (none) => http://lwn.net/Vulnerabilities/637723/
LWN reference for CVE-2015-2241: http://lwn.net/Vulnerabilities/638309/
Testing on Mageia4x32, real hardware, using procedure mentioned in comment 5 From current packages : --------------------- python-django14-1.4.18-1.1.mga4 python-django-1.5.9-1.1.mga4 python3-django-1.5.9-1.1.mga4 With each python-django version, launched the server and verified browsing to : http://localhost:8000/ that it was working. To updated testing packages : --------------------------- python-django14-1.4.20-1.mga4 python-django-1.5.9-1.2.mga4 python3-django-1.5.9-1.2.mga4 Same procedure. All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-32-OK
Testing on Mageia4x64 real hardware using same procedure From current packages : --------------------- python-django14-1.4.18-1.1.mga4 python-django-1.5.9-1.1.mga4 python3-django-1.5.9-1.1.mga4 To udpadted testing packages : ---------------------------- python-django14-1.4.20-1.mga4 python-django-1.5.9-1.2.mga4 python3-django-1.5.9-1.2.mga4 With each python-django version, launched the server and verified browsing to : http://localhost:8000/ that it was working. OK
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0127.html
Status: NEW => RESOLVEDResolution: (none) => FIXED