Bugzilla – Bug 913053
VUL-1: CVE-2015-0219: python-django: WSGI header spoofing via underscore/dash conflation
Last modified: 2015-09-22 09:11:54 UTC
CVE-2015-0219 When HTTP headers are placed into the WSGI environ, they are normalized by converting to uppercase, converting all dashes to underscores, and prepending `HTTP_`. For instance, a header ``X-Auth-User`` would become ``HTTP_X_AUTH_USER`` in the WSGI environ (and thus also in Django's ``request.META`` dictionary). Unfortunately, this means that the WSGI environ cannot distinguish between headers containing dashes and headers containing underscores: ``X-Auth-User`` and ``X-Auth_User`` both become ``HTTP_X_AUTH_USER``. This means that if a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if the proxy carefully strips any incoming value for ``X-Auth-User``, an attacker may be able to provide an ``X-Auth_User`` header (with underscore) and bypass this protection. In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers containing underscores from incoming requests by default. Django's built-in development server now does the same. Django's development server is not recommended for production use, but matching the behavior of common production servers reduces the surface area for behavior changes during deployment. References: https://www.djangoproject.com/weblog/2015/jan/13/security/ https://bugzilla.redhat.com/show_bug.cgi?id=1179672 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0219.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-03-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60743
SUSE-SU-2015:0563-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (low) Bug References: 913053,913054,913055,913056,914706 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222 Sources used: SUSE Cloud 4 (src): python-django-1.5.12-0.7.1
This is an autogenerated message for OBS integration: This bug (913053) was mentioned in https://build.opensuse.org/request/show/292722 13.2 / python-Django
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.4.1
all updates are submitted+accepted
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
This is an autogenerated message for OBS integration: This bug (913053) was mentioned in https://build.opensuse.org/request/show/330037 13.1 / python-django
This is an autogenerated message for OBS integration: This bug (913053) was mentioned in https://build.opensuse.org/request/show/330056 13.1 / python-django
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 913053,913054,913055,913056,914706,923176,941587 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.11.1