Bug 913053 - (CVE-2015-0219) VUL-1: CVE-2015-0219: python-django: WSGI header spoofing via underscore/dash conflation
(CVE-2015-0219)
VUL-1: CVE-2015-0219: python-django: WSGI header spoofing via underscore/dash...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
https://smash.suse.de/issue/112320/
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-14 09:47 UTC by Victor Pereira
Modified: 2015-09-22 09:11 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-14 09:47:08 UTC
CVE-2015-0219


When HTTP headers are placed into the WSGI environ, they are normalized by converting to uppercase, converting all dashes to underscores, and prepending `HTTP_`. For instance, a header ``X-Auth-User`` would become ``HTTP_X_AUTH_USER`` in the WSGI environ (and thus also in Django's ``request.META`` dictionary).

Unfortunately, this means that the WSGI environ cannot distinguish between headers containing dashes and headers containing underscores: ``X-Auth-User`` and ``X-Auth_User`` both become ``HTTP_X_AUTH_USER``. This means that if a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if the proxy carefully strips any incoming value for ``X-Auth-User``, an attacker may be able to provide an ``X-Auth_User`` header (with underscore) and bypass this protection.

In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers containing underscores from incoming requests by default. Django's built-in development server now does the same. Django's development server is not recommended for production use, but matching the behavior of common production servers reduces the surface area for behavior changes during deployment.

References:
https://www.djangoproject.com/weblog/2015/jan/13/security/
https://bugzilla.redhat.com/show_bug.cgi?id=1179672
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0219.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219
Comment 1 Swamp Workflow Management 2015-01-14 23:00:55 UTC
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2015-02-19 12:21:29 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-03-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60743
Comment 7 Swamp Workflow Management 2015-03-20 23:06:23 UTC
SUSE-SU-2015:0563-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 913053,913054,913055,913056,914706
CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222
Sources used:
SUSE Cloud 4 (src):    python-django-1.5.12-0.7.1
Comment 8 Bernhard Wiedemann 2015-03-24 17:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (913053) was mentioned in
https://build.opensuse.org/request/show/292722 13.2 / python-Django
Comment 10 Swamp Workflow Management 2015-04-01 16:04:59 UTC
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
openSUSE 13.2 (src):    python-Django-1.6.11-3.4.1
Comment 11 Bernhard Wiedemann 2015-05-18 07:21:01 UTC
all updates are submitted+accepted
Comment 12 Swamp Workflow Management 2015-06-23 14:05:24 UTC
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-4.1
Comment 13 Swamp Workflow Management 2015-06-23 14:06:46 UTC
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-4.1
Comment 14 Bernhard Wiedemann 2015-09-09 12:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (913053) was mentioned in
https://build.opensuse.org/request/show/330037 13.1 / python-django
Comment 15 Bernhard Wiedemann 2015-09-09 14:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (913053) was mentioned in
https://build.opensuse.org/request/show/330056 13.1 / python-django
Comment 16 Swamp Workflow Management 2015-09-22 09:11:54 UTC
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 913053,913054,913055,913056,914706,923176,941587
CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963
Sources used:
openSUSE 13.1 (src):    python-django-1.5.12-0.2.11.1