Bug 7835 - python-django new security issues fixed in 1.3.4 and 1.4.2
: python-django new security issues fixed in 1.3.4 and 1.4.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: https://www.djangoproject.com/weblog/...
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-18 20:17 CEST by Philippe Makowski
Modified: 2012-10-29 19:14 CET (History)
3 users (show)

See Also:
Source RPM: python-django
CVE:
Status comment:


Attachments

Description Philippe Makowski 2012-10-18 20:17:28 CEST
the Django team is issuing multiple releases -- Django 1.3.4 and Django 1.4.2 -- to remedy security issues reported

python-django-1.3.4-1.mga1  
python-django-1.3.4-1.mga2
python-django-1.4.2-1.mga3
 are availables
Comment 1 Manuel Hiebel 2012-10-20 22:58:52 CEST
arf packages are here sorry shlomi, philippe can you add a advisory for the QA ? or is https://www.djangoproject.com/weblog/2012/oct/17/security/ enough ?

cf https://wiki.mageia.org/en/Updates_policy
Comment 2 Philippe Makowski 2012-10-21 21:03:06 CEST
Suggested advisory:
========================

Updated python-django packages fix security vulnerabilities:

 The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. 
Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users.

References:
https://www.djangoproject.com/weblog/2012/oct/17/security/
Comment 3 claire robinson 2012-10-29 16:03:29 CET
Previously tested using https://docs.djangoproject.com/en/dev/intro/tutorial01/
Comment 4 claire robinson 2012-10-29 16:08:36 CET
This seems to be CVE-2012-4520 could somebody confirm please?
Comment 5 claire robinson 2012-10-29 17:35:43 CET
Testing complete Mga2 32

Testing basic functionality only.


$ mkdir python-django
$ cd python-django
$ django-admin.py startproject mysite
$ cd mysite
$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.3, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Checked it worked with a browser then quit it with ctrl-c
Comment 6 claire robinson 2012-10-29 17:43:01 CET
Testing complete mga2 64 same procedure.
Comment 7 claire robinson 2012-10-29 17:56:49 CET
Testing complete mga1 32
Comment 8 David Walser 2012-10-29 18:37:18 CET
(In reply to comment #4)
> This seems to be CVE-2012-4520 could somebody confirm please?

Yep, thanks for catching this.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520
Comment 9 claire robinson 2012-10-29 18:56:54 CET
Testing complete mga1 64

Validating

Suggested advisory:
========================

Updated python-django packages fix security vulnerabilities:

The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling
username/password information in the header. 
Using this, an attacker can cause parts of Django -- particularly the
password-reset mechanism -- to generate and display arbitrary URLs to users.

References:
https://www.djangoproject.com/weblog/2012/oct/17/security/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520

===========================

python-django-1.3.4-1.mga1  
python-django-1.3.4-1.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 10 Thomas Backlund 2012-10-29 19:14:15 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0315

Note You need to log in before you can comment on or make changes to this bug.