Bug 877993 - (CVE-2014-1418) VUL-0: CVE-2014-1418: python-django: Insecure redirects and cache poisoning
(CVE-2014-1418)
VUL-0: CVE-2014-1418: python-django: Insecure redirects and cache poisoning
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/98807/
maint:running:57432:moderate maint:r...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-15 08:53 UTC by Johannes Segitz
Modified: 2015-02-19 10:32 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-05-15 08:53:46 UTC
Via oss-security

Two issues were reported in python-django:
- Caches may be allowed to store and serve private data (CVE-2014-1418)
- Malformed URLs from user input incorrectly validated.

Affected versions
- master development branch
- 1.7
- 1.6
- 1.5
- 1.4

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1097500
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1418.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418
https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/
Comment 1 Swamp Workflow Management 2014-05-15 08:56:38 UTC
The SWAMPID for this issue is 57432.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 SMASH SMASH 2014-05-15 09:00:19 UTC
Affected packages:

SLE-11-SP3: python-django
SLE-11-SP3-PRODUCTS: python-django
SLE-11-SP3-CLOUD4: python-django
Comment 3 Swamp Workflow Management 2014-05-15 22:00:30 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2014-05-20 08:56:24 UTC
Second issue (malformed URLs from user input incorrectly validated) received a CVE. 
https://bugzilla.novell.com/show_bug.cgi?id=878641
Comment 10 Vincent Untz 2014-06-27 10:21:06 UTC
Reassigning to security team as fix was submitted.
Comment 11 Swamp Workflow Management 2014-06-27 19:46:14 UTC
Update released for: python-django
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 12 Swamp Workflow Management 2014-06-27 23:04:58 UTC
SUSE-SU-2014:0851-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-1418,CVE-2014-3730
Sources used:
SUSE Cloud 3 (src):    python-django-1.5.8-0.7.1
Comment 13 Alexander Bergmann 2014-08-19 08:18:00 UTC
Fix was released. Closing bug.
Comment 14 Swamp Workflow Management 2014-09-16 13:05:01 UTC
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730
Sources used:
openSUSE 13.1 (src):    python-django-1.5.10-0.2.8.1
openSUSE 12.3 (src):    python-django-1.4.15-2.12.1