24173 – python-django16 new security issue CVE-2019-3498

Bug 24173 - python-django16 new security issue CVE-2019-3498

Summary: python-django16 new security issue CVE-2019-3498

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA-64-OK
Keywords:	advisory, validated_update

Depends on:	24128
Blocks:
	Show dependency tree / graph

Reported:	2019-01-13 18:08 CET by David Walser
Modified:	2019-01-18 23:20 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	python-django16-1.6.11.6-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-13 18:08:03 CET

+++ This bug was initially created as a clone of Bug #24128 +++

Upstream has issued an advisory today (January 4):
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

The issue is fixed upstream in 1.11.18.

1.8.x and older are not supported upstream, but we determined 1.8.x to be affected and fixed it in Bug 24128.  1.6.x may also be affected.  This package should be dropped from Cauldron before Mageia 7 and fixed (if affected) in Mageia 6.

Marja Van Waes 2019-01-13 19:24:11 CET

Assignee: bugsquad => python
CC: (none) => marja11

Comment 1 David Walser 2019-01-14 15:35:22 CET

Ubuntu has issued an advisory for this on January 9:
https://usn.ubuntu.com/3851-1/

They backported a patch to 1.6.x for Ubuntu 14.04.

Comment 2 David Walser 2019-01-14 16:10:58 CET

Obsoleted in Cauldron, patched in Mageia 6.

Advisory:
========================

Updated python-django16 package fixes security vulnerability:

It was discovered that Django incorrectly handled the default 404 page. A
remote attacker could use this issue to spoof content using a malicious URL
(CVE-2019-3498).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
https://usn.ubuntu.com/3851-1/
========================

Updated packages in core/updates_testing:
========================
python-django16-1.6.11.6-1.1.mga6

from python-django16-1.6.11.6-1.1.mga6.src.rpm

Severity: normal => major
Assignee: python => qa-bugs

Comment 3 Herman Viaene 2019-01-15 12:25:33 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
No previous updates on this found, and "easy" examples on the net dive straight into python and its configuration stuff.
So settled to try the one command in the package.
$ django1.6-admin --help
Usage: django1.6-admin subcommand [options] [args]

Options:
-v VERBOSITY, --verbosity=VERBOSITY
Verbosity level; 0=minimal output, 1=normal output,
2=verbose output, 3=very verbose output
--settings=SETTINGS The Python path to a settings module, e.g.
"myproject.settings.main". If this isn't provided, the
DJANGO_SETTINGS_MODULE environment variable will be
used.
--pythonpath=PYTHONPATH
A directory to add to the Python path, e.g.
"/home/djangoprojects/myproject".
--traceback Raise on exception
--version show program's version number and exit
-h, --help show this help message and exit

Type 'django1.6-admin help <subcommand>' for help on a specific subcommand.

Available subcommands:

[django]
check
cleanup
compilemessages
createcachetable
and more.
Tried one:
$ django1.6-admin startproject testdjango
That created a folder testdjango and in it another folder testdjango and a file manage.py
I think I have seen something similar in another test case, but what was it????
If the higher powers find this sufficient, I will not object an OK.

CC: (none) => herman.viaene

Comment 4 Lewis Smith 2019-01-18 18:32:25 CET

(In reply to Herman Viaene from comment #3)
> MGA6-32 MATE on IBM Thinkpad R50e
> No previous updates on this found
Since the package name is familiar, I tried python-django - with doubtful success. Thanks for all the info you gave.

This is another of those updates where the package to test conflicts with another (and it is obsoleted henceforth):
 # urpmi python-django16
 The following package must be removed for the update to proceed.
 python-django-1.8.19-1.1.mga6.noarch
 (because of conflict with python-django16-1.6.11.6-1.mga6.noarch)
It also pulled in 'python-simplejson-3.8.2-2.mga6'.

Could find no PoC.

The replaced package had a test procedure:
 https://bugs.mageia.org/show_bug.cgi?id=17860#c7
which scarcely seems to apply here... django1.6-admin takes the place of  manage.py.
 $ python manage.py help
gives output very like 'django1.6-admin --help' shown in comment 3. The Python3 equivalent fails:
 $ python3 manage.py help
 Traceback (most recent call last):
  File "manage.py", line 8, in <module>
    from django.core.management import execute_from_command_line
 ImportError: No module named 'django'
----------------------------------------------
BEFORE update: python-django16-1.6.11.6-1.mga6

 $ django1.6-admin startproject mysite
 $ cd mysite
Python ? Red Herring?
------
 $ python manage.py runserver      [Should this be used here?]
Validating models...
0 errors found
January 18, 2019 - 14:26:43
Django version 1.6.11.6, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/

With the server running, point a browser to http://localhost:8000/ and you should see:
"It worked!
 Congratulations on your first Django-powered page."
It did indeed.
 [18/Jan/2019 14:45:09] "GET / HTTP/1.1" 200 1757
  ^C
 $ cd ..                [To tidy up]
 $ rm -rf mysite/

BUT: I got anywhere with '$ django1.6-admin runserver' (from the top project directory) with various options.
 $ django1.6-admin runserver
Traceback (most recent call last):
  File "/usr/bin/django1.6-admin", line 5, in <module>
    management.execute_from_command_line()
etc etc
 $ django1.6-admin runserver --pythonpath=/home/lewis/tmp/mysite
Same.

 $ django1.6-admin help runserver
Usage: django1.6-admin runserver [options] [optional port number, or ipaddr:port]
Starts a lightweight Web server for development.
Options:     [trimmed]
  --settings=SETTINGS   The Python path to a settings module, e.g.
                        "myproject.settings.main". If this isn't provided, the
                        DJANGO_SETTINGS_MODULE environment variable will be
                        used.
  --pythonpath=PYTHONPATH
                        A directory to add to the Python path, e.g.
                        "/home/djangoprojects/myproject".
  --version             show program's version number and exit
  -h, --help            show this help message and exit

Python3
-------
Not the same as before. There is no longer a Python3 variant of
django1.6-admin. After creating the project as above, the following no longer works:
 $ python3 manage.py runserver
 Traceback (most recent call last):
  File "manage.py", line 8, in <module>
    from django.core.management import execute_from_command_line
 ImportError: No module named 'django'

 $ django1.6-admin --version
 1.6.11.6
Oh well, something else works.
===============================================
AFTER update: python-django16-1.6.11.6-1.1.mga6
 $ django1.6-admin startproject mysite
worked OK.
 $ cd mysite/
 $ django1.6-admin runserver
Traceback (most recent call last):
  File "/usr/bin/django1.6-admin", line 5, in <module>
    management.execute_from_command_line()
etc etc as before update. However,
 $ python manage.py runserver
worked as before (Python); as did http://localhost:8000/
failed as before for Python3.

Well, the update shows no change. Hence OK it.
Advisory from comment 2.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-32-OK MGA-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-18 23:20:47 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0040.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.