Security update for python-django
SUSE Security Update: Security update for python-django
python-django has been updated to version 1.5.12 to fix four security
issues:
* CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x
before 1.7.3 allowed remote attackers to spoof WSGI headers by using
an _ (underscore) character instead of a - (dash) character in an
HTTP header, as demonstrated by an X-Auth_User header (bnc#913053).
* CVE-2015-0220: The django.util.http.is_safe_url function in Django
before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 did not
properly handle leading whitespaces, which allowed remote attackers
to conduct cross-site scripting (XSS) attacks via a crafted URL,
related to redirect URLs, as demonstrated by a "\njavascript:" URL
(bnc#913054).
* CVE-2015-0221: The django.views.static.serve view in Django before
1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 read files an
entire line at a time, which allowed remote attackers to cause a
denial of service (memory consumption) via a long line in a file
(bnc#913056).
* CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before
1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to
True, allowed remote attackers to cause a denial of service by
submitting duplicate values, which triggered a large number of SQL
queries (bnc#913055).
These non-security issues have been fixed:
* Method check_for_test_cookie is deprecated (bnc#914706)
* Fixed a regression with dynamically generated inlines and allowed
field references in the admin
* Allowed related many-to-many fields to be referenced in the admin
* Allowed inline and hidden references to admin fields
Security Issues:
* CVE-2015-0222
* CVE-2015-0219
* CVE-2015-0220
* CVE-2015-0221
| Announcement ID: | SUSE-SU-2015:0563-1 |
| Rating: | low |
| References: | #913053 #913054 #913055 #913056 #914706 |
| Affected Products: |
An update that solves four vulnerabilities and has one errata is now available. It includes one version update.
Description:
python-django has been updated to version 1.5.12 to fix four security
issues:
* CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x
before 1.7.3 allowed remote attackers to spoof WSGI headers by using
an _ (underscore) character instead of a - (dash) character in an
HTTP header, as demonstrated by an X-Auth_User header (bnc#913053).
* CVE-2015-0220: The django.util.http.is_safe_url function in Django
before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 did not
properly handle leading whitespaces, which allowed remote attackers
to conduct cross-site scripting (XSS) attacks via a crafted URL,
related to redirect URLs, as demonstrated by a "\njavascript:" URL
(bnc#913054).
* CVE-2015-0221: The django.views.static.serve view in Django before
1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 read files an
entire line at a time, which allowed remote attackers to cause a
denial of service (memory consumption) via a long line in a file
(bnc#913056).
* CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before
1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to
True, allowed remote attackers to cause a denial of service by
submitting duplicate values, which triggered a large number of SQL
queries (bnc#913055).
These non-security issues have been fixed:
* Method check_for_test_cookie is deprecated (bnc#914706)
* Fixed a regression with dynamically generated inlines and allowed
field references in the admin
* Allowed related many-to-many fields to be referenced in the admin
* Allowed inline and hidden references to admin fields
Security Issues:
* CVE-2015-0222
* CVE-2015-0219
* CVE-2015-0220
* CVE-2015-0221
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 4:
zypper in -t patch sleclo40sp3-python-django=10342
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Cloud 4 (x86_64) [New Version: 1.5.12]:
- python-django-1.5.12-0.7.1
References:
- http://support.novell.com/security/cve/CVE-2015-0219.html
- http://support.novell.com/security/cve/CVE-2015-0220.html
- http://support.novell.com/security/cve/CVE-2015-0221.html
- http://support.novell.com/security/cve/CVE-2015-0222.html
- https://bugzilla.suse.com/913053
- https://bugzilla.suse.com/913054
- https://bugzilla.suse.com/913055
- https://bugzilla.suse.com/913056
- https://bugzilla.suse.com/914706
- http://download.suse.com/patch/finder/?keywords=6373fc8fc605bca1c3684a2915a66465