CVE-2015-0221 backport broke serving static content through GZipMiddleware

Bug #1417274 reported by Nelson Elhage on 2015-02-02
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers

Bug Description

Ubuntu backported the CVE-2015-0221 fix, which makes `django.views.static.serve` stream file contents. However, https://github.com/django/django/commit/1e39d0f6280abf34c7719db5e7ed1c333f5e5919 was not backported, and without that fix, the Django GZipMiddleware is unable to handle streaming content, breaking django applications that combine static file serving with the gzip middleware. See upstream bug https://code.djangoproject.com/ticket/24158 for more information.

CVE References

Changed in python-django (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu):
status: New → Invalid
Changed in python-django (Ubuntu Lucid):
status: New → Confirmed
Changed in python-django (Ubuntu Precise):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Could you please try the package in the following PPA, to make sure they fix the regression without causing any further issues?

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

If it works for you, I will release it as a security regression update.

Thanks!

Nelson Elhage (nelhage) wrote :

I can confirm that resolves the issue in my environment, with no other issues I've noticed. Thanks for the prompt update!

Marc Deslauriers (mdeslaur) wrote :

Actually, the packages in that PPA introduce other regressions, they still need work.

Marc Deslauriers (mdeslaur) wrote :

OK, I've now uploaded (1.3.1-4ubuntu1.15) for precise in the same PPA with a less intrusive backport.

Could you give it a try, please?

Nelson Elhage (nelhage) wrote :

That's also working fine in my environment.

Marc Deslauriers (mdeslaur) wrote :

Great! Thanks for testing Nelson, I'll push them out today.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.15

---------------
python-django (1.3.1-4ubuntu1.15) precise-security; urgency=medium

  * SECURITY REGRESSION: static serve failure (LP: #1417274)
    - debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
      to work with streaming responses in django/middleware/gzip.py,
      django/utils/text.py, django/http/__init__.py, added tests to
      tests/regressiontests/middleware/tests.py.
 -- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 09:03:07 -0500

Changed in python-django (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.16

---------------
python-django (1.1.1-2ubuntu1.16) lucid-security; urgency=medium

  * SECURITY REGRESSION: static serve failure (LP: #1417274)
    - debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
      to work with streaming responses in django/middleware/gzip.py,
      django/utils/text.py, django/http/__init__.py, added tests to
      tests/regressiontests/middleware/tests.py.
 -- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 10:08:10 -0500

Changed in python-django (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers