SECURITY - multiple vulnerabilities, upgrade needed to 1.2.5 or 1.1.4

Bug #719031 reported by Guillaume Pratte on 2011-02-14
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Medium
Jamie Strandboge
Hardy
Medium
Unassigned
Karmic
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
Jamie Strandboge

Bug Description

Binary package hint: python-django

See this link: http://www.djangoproject.com/weblog/2011/feb/08/security/
No CVE seems to have been assigned yet.

" Today the Django team is issuing multiple releases -- Django 1.2.5 and Django 1.1.4 -- to remedy three security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. "

* Flaw in CSRF handling
* Potential XSS in file field rendering
* Directory-traversal vulnerability on Windows

visibility: private → public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guillaume Pratte wrote:
> See this link: http://www.djangoproject.com/weblog/2011/feb/08/security/
> No CVE seems to have been assigned yet.

As reported to us (Django), the following IDs have been assigned:

CVE-2011-0696 -- CSRF
CVE-2011-0697 -- file field XSS
CVE-2011-0698 -- directory traversal

- --
James Bennett
<email address hidden>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ZrLwACgkQNoTAwIyLKuG6nQCgou9wAa9lzkZmhT9zzPc1cPok
MEIAmgJd846BOUni/pLoiNu2mG1sgeai
=UtW5
-----END PGP SIGNATURE-----

Changed in python-django (Ubuntu Hardy):
status: New → Confirmed
Changed in python-django (Ubuntu Karmic):
status: New → Confirmed
Changed in python-django (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Confirmed
Changed in python-django (Ubuntu Maverick):
importance: Undecided → Medium
status: New → Confirmed
Changed in python-django (Ubuntu Natty):
importance: Undecided → Medium
status: New → Confirmed
Changed in python-django (Ubuntu Karmic):
importance: Undecided → Medium
Changed in python-django (Ubuntu Hardy):
importance: Undecided → Medium
Jamie Strandboge (jdstrand) wrote :

CVE-2011-0698 only affects Windows.

Changed in python-django (Ubuntu Lucid):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Maverick):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Karmic):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Natty):
status: Confirmed → Triaged
Jamie Strandboge (jdstrand) wrote :

Hardy's python-django is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Jamie Strandboge (jdstrand) wrote :

After fixing the stable releases, I am going to look at Natty. If Debian unstable has 1.2.5 by then, I will perform a merge, otherwise I will update the existing natty package.

Changed in python-django (Ubuntu Natty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.2.3-1ubuntu0.2.10.10.2

---------------
python-django (1.2.3-1ubuntu0.2.10.10.2) maverick-security; urgency=low

  * SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
    - debian/patches/09_CVE-2011-0696.diff: apply full CSRF validation to all
      requests, regardless of apparent AJAX origin. This is technically
      backwards-incompatible, but the security risks have been judged to
      outweigh the compatibility concerns in this case. See the Django project
      notes for more information:
      http://www.djangoproject.com/weblog/2011/feb/08/security/
    - CVE-2011-0696
  * SECURITY UPDATE: potential XSS in file field rendering
    - debian/patches/10_admin_widgets-to-unittest.diff: prepare testsuite for
      security fix tests
    - debian/patches/11_CVE-2011-0697.diff: properly escape URL in
      django/contrib/admin/widgets.py
    - CVE-2011-0697
 -- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:04:19 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.3

---------------
python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
    - debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all
      requests, regardless of apparent AJAX origin. This is technically
      backwards-incompatible, but the security risks have been judged to
      outweigh the compatibility concerns in this case. See the Django project
      notes for more information:
      http://www.djangoproject.com/weblog/2011/feb/08/security/
    - CVE-2011-0696
  * SECURITY UPDATE: potential XSS in file field rendering
    - debian/patches/11_CVE-2011-0697.diff: properly escape URL in
      django/contrib/admin/widgets.py
    - CVE-2011-0697
 -- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-1ubuntu1.2

---------------
python-django (1.1.1-1ubuntu1.2) karmic-security; urgency=low

  * SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
    - debian/patches/24_CVE-2011-0696.diff: apply full CSRF validation to all
      requests, regardless of apparent AJAX origin. This is technically
      backwards-incompatible, but the security risks have been judged to
      outweigh the compatibility concerns in this case. See the Django project
      notes for more information:
      http://www.djangoproject.com/weblog/2011/feb/08/security/
    - CVE-2011-0696
  * SECURITY UPDATE: potential XSS in file field rendering
    - debian/patches/25_CVE-2011-0697.diff: properly escape URL in
      django/contrib/admin/widgets.py
    - CVE-2011-0697
 -- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:18:54 -0600

Changed in python-django (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in python-django (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in python-django (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in python-django (Ubuntu Natty):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.2.5-1ubuntu1

---------------
python-django (1.2.5-1ubuntu1) natty; urgency=low

  * Merge from Debian for security fixes (LP: #719031). Remaining changes:
    - debian/control: don't Build-Depends on locales-all, which doesn't exist
      in natty
  * Drop the following patches, now included upstream:
    - debian/patches/07_security_admin_infoleak.diff
    - debian/patches/08_security_pasword_reset_dos.diff

python-django (1.2.5-1) unstable; urgency=low

  * New upstream release.
  * Do not compress objects.inv used by Sphinx generated documentation.
    Thanks to Michael Fladischer for the report. Closes: #608769

python-django (1.2.4-1) unstable; urgency=high

  * New bugfix-only upstream release. It includes security fixes.
    http://www.djangoproject.com/weblog/2010/dec/22/security/
  * Drop patches merged upstream:
    - debian/patches/05_fix_regression_tests.diff
    - debian/patches/06_fix_regression_tests.diff
  * Update 01_disable_url_verify_regression_tests.diff to cope with the
    updated regressions tests.
  * Update 03_manpage.diff and 04_hyphen-manpage.diff to cope with changes in
    the manual page.

python-django (1.2.3-2) unstable; urgency=low

  * Team upload.
  * Disable model tests that require an internet connection.
    Closes: #601070
  * Include python.mk conditionally as explained in its header.
    Helps backports to Lenny which has no python.mk.
    Closes: #601608
 -- Jamie Strandboge <email address hidden> Thu, 17 Feb 2011 13:34:07 -0600

Changed in python-django (Ubuntu Natty):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in python-django (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers