SUSE-SU-2015:0563-1: Security update for python-django

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Mar 20 17:06:14 MDT 2015


   SUSE Security Update: Security update for python-django
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0563-1
Rating:             low
References:         #913053 #913054 #913055 #913056 #914706 
Cross-References:   CVE-2015-0219 CVE-2015-0220 CVE-2015-0221
                    CVE-2015-0222
Affected Products:
                    SUSE Cloud 4
______________________________________________________________________________

   An update that solves four vulnerabilities and has one
   errata is now available. It includes one version update.

Description:


   python-django has been updated to version 1.5.12 to fix four security
   issues:

       * CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x
         before 1.7.3 allowed remote attackers to spoof WSGI headers by using
         an _ (underscore) character instead of a - (dash) character in an
         HTTP header, as demonstrated by an X-Auth_User header (bnc#913053).
       * CVE-2015-0220: The django.util.http.is_safe_url function in Django
         before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 did not
         properly handle leading whitespaces, which allowed remote attackers
         to conduct cross-site scripting (XSS) attacks via a crafted URL,
         related to redirect URLs, as demonstrated by a "\njavascript:" URL
         (bnc#913054).
       * CVE-2015-0221: The django.views.static.serve view in Django before
         1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 read files an
         entire line at a time, which allowed remote attackers to cause a
         denial of service (memory consumption) via a long line in a file
         (bnc#913056).
       * CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before
         1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to
         True, allowed remote attackers to cause a denial of service by
         submitting duplicate values, which triggered a large number of SQL
         queries (bnc#913055).

   These non-security issues have been fixed:

       * Method check_for_test_cookie is deprecated (bnc#914706)
       * Fixed a regression with dynamically generated inlines and allowed
         field references in the admin
       * Allowed related many-to-many fields to be referenced in the admin
       * Allowed inline and hidden references to admin fields

   Security Issues:

       * CVE-2015-0222
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222>
       * CVE-2015-0219
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219>
       * CVE-2015-0220
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220>
       * CVE-2015-0221
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221>


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 4:

      zypper in -t patch sleclo40sp3-python-django=10342

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Cloud 4 (x86_64) [New Version: 1.5.12]:

      python-django-1.5.12-0.7.1


References:

   http://support.novell.com/security/cve/CVE-2015-0219.html
   http://support.novell.com/security/cve/CVE-2015-0220.html
   http://support.novell.com/security/cve/CVE-2015-0221.html
   http://support.novell.com/security/cve/CVE-2015-0222.html
   https://bugzilla.suse.com/913053
   https://bugzilla.suse.com/913054
   https://bugzilla.suse.com/913055
   https://bugzilla.suse.com/913056
   https://bugzilla.suse.com/914706
   http://download.suse.com/patch/finder/?keywords=6373fc8fc605bca1c3684a2915a66465



More information about the sle-security-updates mailing list