SUSE-SU-2015:0563-1: Security update for python-django
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Fri Mar 20 17:06:14 MDT 2015
SUSE Security Update: Security update for python-django
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0563-1
Rating: low
References: #913053 #913054 #913055 #913056 #914706
Cross-References: CVE-2015-0219 CVE-2015-0220 CVE-2015-0221
CVE-2015-0222
Affected Products:
SUSE Cloud 4
______________________________________________________________________________
An update that solves four vulnerabilities and has one
errata is now available. It includes one version update.
Description:
python-django has been updated to version 1.5.12 to fix four security
issues:
* CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x
before 1.7.3 allowed remote attackers to spoof WSGI headers by using
an _ (underscore) character instead of a - (dash) character in an
HTTP header, as demonstrated by an X-Auth_User header (bnc#913053).
* CVE-2015-0220: The django.util.http.is_safe_url function in Django
before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 did not
properly handle leading whitespaces, which allowed remote attackers
to conduct cross-site scripting (XSS) attacks via a crafted URL,
related to redirect URLs, as demonstrated by a "\njavascript:" URL
(bnc#913054).
* CVE-2015-0221: The django.views.static.serve view in Django before
1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 read files an
entire line at a time, which allowed remote attackers to cause a
denial of service (memory consumption) via a long line in a file
(bnc#913056).
* CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before
1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to
True, allowed remote attackers to cause a denial of service by
submitting duplicate values, which triggered a large number of SQL
queries (bnc#913055).
These non-security issues have been fixed:
* Method check_for_test_cookie is deprecated (bnc#914706)
* Fixed a regression with dynamically generated inlines and allowed
field references in the admin
* Allowed related many-to-many fields to be referenced in the admin
* Allowed inline and hidden references to admin fields
Security Issues:
* CVE-2015-0222
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222>
* CVE-2015-0219
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219>
* CVE-2015-0220
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220>
* CVE-2015-0221
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 4:
zypper in -t patch sleclo40sp3-python-django=10342
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Cloud 4 (x86_64) [New Version: 1.5.12]:
python-django-1.5.12-0.7.1
References:
http://support.novell.com/security/cve/CVE-2015-0219.html
http://support.novell.com/security/cve/CVE-2015-0220.html
http://support.novell.com/security/cve/CVE-2015-0221.html
http://support.novell.com/security/cve/CVE-2015-0222.html
https://bugzilla.suse.com/913053
https://bugzilla.suse.com/913054
https://bugzilla.suse.com/913055
https://bugzilla.suse.com/913056
https://bugzilla.suse.com/914706
http://download.suse.com/patch/finder/?keywords=6373fc8fc605bca1c3684a2915a66465
More information about the sle-updates
mailing list