Bug 6986 - python-django new security issues fixed in 1.3.2
: python-django new security issues fixed in 1.3.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/510255/
: MGA1TOO MGA1-32-OK has_procedure MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-08 20:35 CEST by David Walser
Modified: 2012-08-18 10:56 CEST (History)
6 users (show)

See Also:
Source RPM: python-django-1.3.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-08 20:35:21 CEST
OpenSuSE has issued an advisory today (August 8):
http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html

Mageia 1 and Mageia 2 are also affected.
Comment 1 Philippe Makowski 2012-08-09 00:01:44 CEST
ok will try to work on in next days
Comment 2 David Walser 2012-08-10 21:48:07 CEST
There's also this for python-django-piston from November 11:
http://www.debian.org/security/2011/dsa-2344

It's not clear which versions are affected.
Comment 3 Philippe Makowski 2012-08-12 14:29:11 CEST
about python-django-piston, no problem, Releasing version 0.2.3 have this security issue fixed
Comment 4 Philippe Makowski 2012-08-12 18:28:35 CEST
Pushed fixed release  to 1/updates_testing and 2/updates_testing.
Comment 5 David Walser 2012-08-12 18:51:25 CEST
Thanks Philippe!

Advisory:
========================

Updated python-django package fixes security vulnerabilities:

The (1) django.http.HttpResponseRedirect and (2)
django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2
and 1.4.x before 1.4.1 do not validate the scheme of a redirect target,
which might allow remote attackers to conduct cross-site scripting (XSS)
attacks via a data: URL (CVE-2012-3442).

The django.forms.ImageField class in the form system in Django before
1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during
image validation, which allows remote attackers to cause a denial of
service (memory consumption) by uploading an image file (CVE-2012-3443).

The get_image_dimensions function in the image-handling functionality in
Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in
all attempts to determine dimensions, which allows remote attackers to
cause a denial of service (process or thread consumption) via a large
TIFF image (CVE-2012-3444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3444
http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.3-1.mga1
python-django-1.3.3-2.mga2

from SRPMS:
python-django-1.3.3-1.mga1.src.rpm
python-django-1.3.3-2.mga2.src.rpm
Comment 6 Samuel Verschelde 2012-08-13 11:45:12 CEST
This update is not just security patches, it's a full update to django 1.3.3 from django 1.3.1. rpmdiff shows more than 1000 changed files!
Comment 7 Samuel Verschelde 2012-08-13 12:46:34 CEST
(In reply to comment #6)
> This update is not just security patches, it's a full update to django 1.3.3
> from django 1.3.1. rpmdiff shows more than 1000 changed files!

ok, "full update" should just bring security fixes, so how come rpmdiff shows that many changes?
Comment 8 David Walser 2012-08-13 16:35:57 CEST
The maintainer decided that upgrading this was the best way to handle these issues.
Comment 9 Dave Hodgins 2012-08-14 02:14:55 CEST
As this is an upgrade, I'm just testing basic functionality, following
https://docs.djangoproject.com/en/dev/intro/tutorial01/

I've also confirmed the depcheck script shows no packages will need linking.

Testing complete for Mageia 1 i586.  I'll test x86-64 shortly.
Comment 10 Dave Hodgins 2012-08-14 02:24:13 CEST
Testing complete for Mageia 1 x86-64.  I'll test Mageia 2 shortly.
Comment 11 Dave Hodgins 2012-08-14 02:34:44 CEST
Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
python-django-1.3.3-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
python-django-1.3.3-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated python-django package fixes security vulnerabilities:

The (1) django.http.HttpResponseRedirect and (2)
django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2
and 1.4.x before 1.4.1 do not validate the scheme of a redirect target,
which might allow remote attackers to conduct cross-site scripting (XSS)
attacks via a data: URL (CVE-2012-3442).

The django.forms.ImageField class in the form system in Django before
1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during
image validation, which allows remote attackers to cause a denial of
service (memory consumption) by uploading an image file (CVE-2012-3443).

The get_image_dimensions function in the image-handling functionality in
Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in
all attempts to determine dimensions, which allows remote attackers to
cause a denial of service (process or thread consumption) via a large
TIFF image (CVE-2012-3444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3444
http://lists.opensuse.org/opensuse-updates/2012-08/msg00014.html

https://bugs.mageia.org/show_bug.cgi?id=6986
Comment 12 Thomas Backlund 2012-08-18 10:56:56 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0219

Note You need to log in before you can comment on or make changes to this bug.