openSUSE Security Update: python-django: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1132-1 Rating: moderate References: #874950 #874955 #874956 #877993 #878641 #893087 #893088 #893089 #893090 Cross-References: CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 CVE-2014-1418 CVE-2014-3730 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: Python Django was updated to fix security issues and bugs. Update to version 1.4.15 on openSUSE 12.3: + Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480) + Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481) + Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482) + Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483) + Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418) + Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730) + Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474) + Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473) + Fixed a remote code execution vulnerabilty in URL reversing (bnc#874950, CVE-2014-0472) Update to version 1.5.10 on openSUSE 13.1: + Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480) + Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481) + Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482) + Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483) - Update to version 1.5.8: + Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418) + Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730) + Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474) + Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473) + Fixed a remote code execution vulnerabilty in URL reversing (bnc#874950, CVE-2014-0472) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-542 - openSUSE 12.3: zypper in -t patch openSUSE-2014-542 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): python-django-1.5.10-0.2.8.1 - openSUSE 12.3 (noarch): python-django-1.4.15-2.12.1 References: http://support.novell.com/security/cve/CVE-2014-0472.html http://support.novell.com/security/cve/CVE-2014-0473.html http://support.novell.com/security/cve/CVE-2014-0474.html http://support.novell.com/security/cve/CVE-2014-0480.html http://support.novell.com/security/cve/CVE-2014-0481.html http://support.novell.com/security/cve/CVE-2014-0482.html http://support.novell.com/security/cve/CVE-2014-0483.html http://support.novell.com/security/cve/CVE-2014-1418.html http://support.novell.com/security/cve/CVE-2014-3730.html https://bugzilla.novell.com/874950 https://bugzilla.novell.com/874955 https://bugzilla.novell.com/874956 https://bugzilla.novell.com/877993 https://bugzilla.novell.com/878641 https://bugzilla.novell.com/893087 https://bugzilla.novell.com/893088 https://bugzilla.novell.com/893089 https://bugzilla.novell.com/893090