Ubuntu
python-django package

CVE-2015-0221 backport broke serving static content through GZipMiddleware

  1. Lucid (10.04)
  2. Bug #1417274
Bug #1417274 reported by Nelson Elhage
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers

Bug Description

Ubuntu backported the CVE-2015-0221 fix, which makes `django.views.static.serve` stream file contents. However, https://github.com/django/django/commit/1e39d0f6280abf34c7719db5e7ed1c333f5e5919 was not backported, and without that fix, the Django GZipMiddleware is unable to handle streaming content, breaking django applications that combine static file serving with the gzip middleware. See upstream bug https://code.djangoproject.com/ticket/24158 for more information.

CVE References

Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu):
status: New → Invalid
Changed in python-django (Ubuntu Lucid):
status: New → Confirmed
Changed in python-django (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Could you please try the package in the following PPA, to make sure they fix the regression without causing any further issues?

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

If it works for you, I will release it as a security regression update.

Thanks!

Revision history for this message
Nelson Elhage (nelhage) wrote :

I can confirm that resolves the issue in my environment, with no other issues I've noticed. Thanks for the prompt update!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, the packages in that PPA introduce other regressions, they still need work.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

OK, I've now uploaded (1.3.1-4ubuntu1.15) for precise in the same PPA with a less intrusive backport.

Could you give it a try, please?

Revision history for this message
Nelson Elhage (nelhage) wrote :

That's also working fine in my environment.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Great! Thanks for testing Nelson, I'll push them out today.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.15

---------------
python-django (1.3.1-4ubuntu1.15) precise-security; urgency=medium

  * SECURITY REGRESSION: static serve failure (LP: #1417274)
    - debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
      to work with streaming responses in django/middleware/gzip.py,
      django/utils/text.py, django/http/__init__.py, added tests to
      tests/regressiontests/middleware/tests.py.
 -- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 09:03:07 -0500

Changed in python-django (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.16

---------------
python-django (1.1.1-2ubuntu1.16) lucid-security; urgency=medium

  * SECURITY REGRESSION: static serve failure (LP: #1417274)
    - debian/patches/CVE-2015-0221-regression.patch: allow GZipMiddleware
      to work with streaming responses in django/middleware/gzip.py,
      django/utils/text.py, django/http/__init__.py, added tests to
      tests/regressiontests/middleware/tests.py.
 -- Marc Deslauriers <email address hidden> Wed, 04 Feb 2015 10:08:10 -0500

Changed in python-django (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.