Mirantis OpenStack

Django security issues, new releases 1.10.7, 1.9.13, 1.8.18

Bug #1679820 reported by Adam Heczko on 2017-04-04

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Won't Fix	Critical	MOS Maintenance	Mirantis OpenStack 10.0
8.0.x	Fix Released	Critical	Max Yatsenko	Mirantis OpenStack 8.0-mu-5
9.x	Fix Released	Critical	Max Yatsenko	Mirantis OpenStack 9.2-mu-2

Bug Description

Detailed bug description:
Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our security process. These releases address two security issues, and we encourage all users to upgrade as soon as possible:

https://www.djangoproject.com/weblog/2017/apr/04/security-releases/

As a reminder, we ask that potential security issues be reported via private email to <email address hidden> and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.

How we are affected:
requirements.txt for Liberty:
https://github.com/openstack/requirements/blob/stable/liberty/global-requirements.txt
Django>=1.7,<1.9

requirements.txt for Mitaka:
https://github.com/openstack/requirements/blob/stable/mitaka/global-requirements.txt
Django>=1.8,<1.9 # BSD

requirements.txt for Newton:
https://github.com/openstack/requirements/blob/stable/newton/global-requirements.txt
Django>=1.8,<1.9 # BSD

See original description

Tags:

CVE References

Adam Heczko (aheczko-mirantis) on 2017-04-04

description:

updated

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-13: Fix proposed to packages/xenial/python-django (master)

Fix proposed to branch: master
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/33081

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-13: Fix proposed to packages/trusty/python-django (9.0)

Fix proposed to branch: 9.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/33085

Adam Heczko (aheczko-mirantis) on 2017-04-13

Changed in mos:
importance:	High → Critical

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-13: Fix proposed to packages/trusty/python-django (8.0)

Fix proposed to branch: 8.0
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/33087

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-13: Fix proposed to packages/xenial/python-django (10.0/newton)

Fix proposed to branch: 10.0/newton
Change author: Ivan Suzdal <email address hidden>
Review: https://review.fuel-infra.org/33089

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-04-14: Fix merged to packages/xenial/python-django (master)

Reviewed: https://review.fuel-infra.org/33081
Submitter: Pkgs Jenkins <email address hidden>
Branch: master

Commit: 20d7a50a2ef0dc0d8c9623acf21dd6014694f5cd
Author: Ivan Suzdal <email address hidden>
Date: Thu Apr 13 09:57:33 2017

Add fixes for CVE-2017-7233 CVE-2017-7234

Change-Id: Ib87ff9aa90614f2c8b8e3b72d9a26a3bb15afc43
Closes-Bug: #1679820

Denis Meltsaykin (dmeltsaykin) on 2017-04-15

Changed in mos:
assignee:	nobody → MOS Linux (mos-linux)
status:	New → Confirmed
tags:	added: area-linux

Dmitry Teselkin (teselkin-d) on 2017-04-17

Changed in mos:
assignee:	MOS Linux (mos-linux) → MOS Maintenance (mos-maintenance)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-06-13: Fix merged to packages/trusty/python-django (9.0)

Reviewed: https://review.fuel-infra.org/33085
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: 5845de6007c6405549333ac7d992ab09c1055f91
Author: Ivan Suzdal <email address hidden>
Date: Mon Apr 17 14:21:26 2017

Add fixes for CVE-2017-7233 CVE-2017-7234

Change-Id: If65701618ce1ac0feb00a482ca2835c87e8f1543
Closes-Bug: #1679820

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2017-06-13: Fix merged to packages/trusty/python-django (8.0)

Reviewed: https://review.fuel-infra.org/33087
Submitter: Pkgs Jenkins <email address hidden>
Branch: 8.0

Commit: 502d8fbd277771fb3e52889e537d3093c491a263
Author: Ivan Suzdal <email address hidden>
Date: Mon Apr 17 14:20:32 2017

Add fixes for CVE-2017-7233 CVE-2017-7234

Change-Id: Ie8400a28114af2fe928221ec95e5973965fdd2fe
Closes-Bug: #1679820

Revision history for this message

Ilya Bumarskov (ibumarskov) wrote on 2017-06-22:

Verified on Fuel 9.2 MU2 (MOS_UBUNTU_ID=9.0-2017-06-20-142429)

Cluster was updated from 9.1 to 9.2MU2:

root@node-3:~# apt-cache policy python-django
python-django:
  Installed: 1.8.7-2~u14.04+mos2
  Candidate: 1.8.7-2~u14.04+mos2
  Version table:
*** 1.8.7-2~u14.04+mos2 0
       1050 http://mirror.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2017-06-20-142429/ mos9.0-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.8.7-2~u14.04+mos1 0
       1050 http://10.109.0.2:8080/mitaka-9.0/ubuntu/x86_64/ mos9.0/main amd64 Packages
     1.6.11-0ubuntu1.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.6.1-2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Revision history for this message

Dmitry (dtsapikov) wrote on 2017-07-14:

Vtrified on 8.0+MU5

root@node-1:~# apt-cache policy python-django
python-django:
  Installed: 1.7.9-1~u14.04+mos2
  Candidate: 1.7.9-1~u14.04+mos2
  Version table:
*** 1.7.9-1~u14.04+mos2 0
       1050 http://us.mirror.fuel-infra.org/mos-repos/ubuntu/snapshots/8.0-latest/ mos8.0-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.7.9-1~u14.04+mos1 0
       1050 http://10.109.0.2:8080/liberty-8.0/ubuntu/x86_64/ mos8.0/main amd64 Packages
     1.6.11-0ubuntu1.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.6.1-2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

tags:	added: on-verification
tags:	removed: on-verification

Alexey Stupnikov (astupnikov) on 2017-10-16

Changed in mos:
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.