Upstream has issued an advisory today (August 18): https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ The issues are fixed upstream in 1.8.4 and 1.4.22. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Ubuntu has issued an advisory for this on August 18: http://www.ubuntu.com/usn/usn-2720-1/
URL: (none) => http://lwn.net/Vulnerabilities/654999/
Advisory: ======================== Updated python-django and python-django14 packages fix security vulnerabilities: Lin Hua Cheng discovered that Django incorrectly handled the session store. A remote attacker could use this issue to cause the session store to fill up, resulting in a denial of service. References: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ http://www.ubuntu.com/usn/usn-2720-1/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5964 Mageia 5 : Update packages : python-django-doc-1.8.4-1.mga5.noarch.rpm python-django-1.8.4-1.mga5.noarch.rpm python3-django-1.8.4-1.mga5.noarch.rpm python-django-bash-completion-1.8.4-1.mga5.noarch.rpm From : python-django-1.8.4-1.mga5.src.rpm Mageia 4 : Update packages : python-django14-1.4.22-1.mga4.noarch.rpm From : python-django14-1.4.22-1.mga4.src.rpm
Assignee: makowski.mageia => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
mga5 64 LANG=fr_FR.UTF-8 =========== Installed : python-django-1.8.4-1.mga5.noarch.rpm python-django-bash-completion-1.8.4-1.mga5.noarch.rpm $ django-admin startproject mysite $ cd mysite/ $ python manage.py runserver Performing system checks... System check identified no issues (0 silenced). You have unapplied migrations; your app may not work properly until they are applied. Run 'python manage.py migrate' to apply them. August 24, 2015 - 20:53:41 Django version 1.8.4, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [24/Aug/2015 20:54:29] "GET / HTTP/1.1" 200 1767 [24/Aug/2015 20:54:30] "GET /favicon.ico HTTP/1.1" 404 1936 [24/Aug/2015 20:54:30] "GET /favicon.ico HTTP/1.1" 404 1936 ^C Test OK. =========== Installed : python3-django-1.8.4-1.mga5.noarch.rpm python-django-bash-completion-1.8.4-1.mga5.noarch.rpm $ python3-django-admin startproject mysite $ cd mysite/ $ python3 manage.py runserver Performing system checks... System check identified no issues (0 silenced). You have unapplied migrations; your app may not work properly until they are applied. Run 'python manage.py migrate' to apply them. August 24, 2015 - 21:05:43 Django version 1.8.4, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [24/Aug/2015 21:05:54] "GET / HTTP/1.1" 200 1767 [24/Aug/2015 21:05:58] "GET / HTTP/1.1" 200 1767 ^C Test OK. =========== Update OK.
CC: (none) => yann.cantinWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK
Testing MGA4 x64 (OK) Having python & python-django14-1.4.21-1.mga4 already installed, updated the latter to: python-django14-1.4.22-1.mga4 and ran the test shown in https://bugs.mageia.org/show_bug.cgi?id=13251#c6 [thanks Claire] just for the 1st part (I have Python3 installed, but this update applies just to django14 for Mageia 4). Result OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK
Validating. Still needs an advisory to be uploaded.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0327.html
Status: NEW => RESOLVEDResolution: (none) => FIXED