Bug 24348 - python-django new security issue CVE-2019-6975
Summary: python-django new security issue CVE-2019-6975
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-11 13:31 CET by David Walser
Modified: 2019-02-15 00:47 CET (History)
3 users (show)

See Also:
Source RPM: python-django-1.11.18-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-11 13:31:57 CET
Upstream has issued an advisory today (February 11):
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/

The issue is fixed upstream in 1.11.19.

As with Bug 23377 and Bug 24128, we'll have to see if python-django (1.8.x) or python-django16 (1.6.x) in Mageia 6 are affected.
Comment 1 David Walser 2019-02-11 20:23:26 CET
python-django-1.11.20-1.mga7 uploaded for Cauldron by Stig-Ørjan.

Version: Cauldron => 6

Comment 2 David Walser 2019-02-11 20:26:26 CET
Debian says that 1.7.x isn't affected, so that rules out 1.6.x:
https://security-tracker.debian.org/tracker/CVE-2019-6975

Ubuntu hasn't triaged the issue as of this posting:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6975.html

We can probably figure it out by looking at the commit that fixed it:
https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227

and see if the vulnerable code is present in 1.8.x.
Comment 3 David Walser 2019-02-12 01:51:49 CET
Yes, the vulnerable code is present in 1.8.x.
Comment 4 David Walser 2019-02-12 03:35:40 CET
Advisory:
========================

Updated python-django packages fix security vulnerability:

If django.utils.numberformat.format() -- used by contrib.admin as well as the
floatformat, filesizeformat, and intcomma templates filters -- received a
Decimal with a large number of digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format() (CVE-2019-6975).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
========================

Updated packages in core/updates_testing:
========================
python-django-1.8.19-1.2.mga6
python-django-bash-completion-1.8.19-1.2.mga6
python3-django-1.8.19-1.2.mga6
python-django-doc-1.8.19-1.2.mga6

from python-django-1.8.19-1.2.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Herman Viaene 2019-02-12 15:45:03 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 24173 for tests:
$ django-admin --help

Type 'django-admin help <subcommand>' for help on a specific subcommand.

Available subcommands:

[django]
    check
    compilemessages
    createcachetable
    dbshell
    diffsettings
etc ......
$ django-admin startproject testdjango
creates a folder testdjango and in it another folder testdjango and a file manage.py
$ cd testdjango/
$ python3 manage.py help

Type 'manage.py help <subcommand>' for help on a specific subcommand.

Available subcommands:

[auth]
    changepassword
    createsuperuser

[django]
    check
    compilemessages
    createcachetable
    dbshell
    diffsettings
etc.......
So works OK for python3
$ python manage.py runserver   
Performing system checks...

System check identified no issues (0 silenced).

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

February 12, 2019 - 14:27:19
Django version 1.8.19, using settings 'testdjango.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

With the server running, point a browser to http://localhost:8000/ and you should see:
"It worked!
 Congratulations on your first Django-powered page."
Is OK

$ cd
$ django-admin runserver
Traceback (most recent call last):
  File "/usr/bin/django-admin", line 5, in <module>
    management.execute_from_command_line()
and more errors like that, but I can sort of understand that, in that way the prog is not in the path anymore of the setup.

$ cd testdjango/
$ python3 manage.py runserver   
Performing system checks...

System check identified no issues (0 silenced).

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

February 12, 2019 - 14:30:54
Django version 1.8.19, using settings 'testdjango.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

The browser shows the same page as above, so OK.
Unless Lewis or someone else objects, I give it OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Dave Hodgins 2019-02-14 08:06:19 CET

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2019-02-14 09:40:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0086.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2019-02-15 00:47:20 CET
Ubuntu advisory from February 13 just for reference:
https://usn.ubuntu.com/3890-1/

Note You need to log in before you can comment on or make changes to this bug.