Mailinglist Archive: opensuse-updates (64 mails)

< Previous Next >
openSUSE-SU-2014:1132-1: moderate: python-django: security and bugfix update
openSUSE Security Update: python-django: security and bugfix update
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1132-1
Rating: moderate
References: #874950 #874955 #874956 #877993 #878641 #893087
#893088 #893089 #893090
Cross-References: CVE-2014-0472 CVE-2014-0473 CVE-2014-0474
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482
CVE-2014-0483 CVE-2014-1418 CVE-2014-3730

Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes 9 vulnerabilities is now available.

Description:

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3:
+ Prevented reverse() from generating URLs pointing to other hosts to
prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ Removed O(n) algorithm when uploading duplicate file names to fix file
upload denial of service (bnc#893088, CVE-2014-0481)
+ Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent
session hijacking (bnc#893089, CVE-2014-0482)
+ Prevented data leakage in contrib.admin via query string manipulation
(bnc#893090, CVE-2014-0483)
+ Fixed: Caches may incorrectly be allowed to store and serve private data
(bnc#877993, CVE-2014-1418)
+ Fixed: Malformed redirect URLs from user input not correctly validated
(bnc#878641, CVE-2014-3730)
+ Fixed queries that may return unexpected results on MySQL due to
typecasting (bnc#874956, CVE-2014-0474)
+ Prevented leaking the CSRF token through caching (bnc#874955,
CVE-2014-0473)
+ Fixed a remote code execution vulnerabilty in URL reversing (bnc#874950,
CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1:
+ Prevented reverse() from generating URLs pointing to other hosts to
prevent phishing attacks (bnc#893087, CVE-2014-0480)
+ Removed O(n) algorithm when uploading duplicate file names to fix file
upload denial of service (bnc#893088, CVE-2014-0481)
+ Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent
session hijacking (bnc#893089, CVE-2014-0482)
+ Prevented data leakage in contrib.admin via query string manipulation
(bnc#893090, CVE-2014-0483)

- Update to version 1.5.8:
+ Fixed: Caches may incorrectly be allowed to store and serve private data
(bnc#877993, CVE-2014-1418)
+ Fixed: Malformed redirect URLs from user input not correctly validated
(bnc#878641, CVE-2014-3730)
+ Fixed queries that may return unexpected results on MySQL due to
typecasting (bnc#874956, CVE-2014-0474)
+ Prevented leaking the CSRF token through caching (bnc#874955,
CVE-2014-0473)
+ Fixed a remote code execution vulnerabilty in URL reversing (bnc#874950,
CVE-2014-0472)


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-542

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-542

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (noarch):

python-django-1.5.10-0.2.8.1

- openSUSE 12.3 (noarch):

python-django-1.4.15-2.12.1


References:

http://support.novell.com/security/cve/CVE-2014-0472.html
http://support.novell.com/security/cve/CVE-2014-0473.html
http://support.novell.com/security/cve/CVE-2014-0474.html
http://support.novell.com/security/cve/CVE-2014-0480.html
http://support.novell.com/security/cve/CVE-2014-0481.html
http://support.novell.com/security/cve/CVE-2014-0482.html
http://support.novell.com/security/cve/CVE-2014-0483.html
http://support.novell.com/security/cve/CVE-2014-1418.html
http://support.novell.com/security/cve/CVE-2014-3730.html
https://bugzilla.novell.com/874950
https://bugzilla.novell.com/874955
https://bugzilla.novell.com/874956
https://bugzilla.novell.com/877993
https://bugzilla.novell.com/878641
https://bugzilla.novell.com/893087
https://bugzilla.novell.com/893088
https://bugzilla.novell.com/893089
https://bugzilla.novell.com/893090


< Previous Next >
This Thread
  • No further messages