Bug 913054 - (CVE-2015-0220) VUL-1: CVE-2015-0220: python-django: Mitigated possible XSS attack via user-supplied redirect URLs
(CVE-2015-0220)
VUL-1: CVE-2015-0220: python-django: Mitigated possible XSS attack via user-s...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
https://smash.suse.de/issue/112321/
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-14 09:48 UTC by Victor Pereira
Modified: 2015-10-14 11:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-14 09:48:32 UTC
CVE-2015-0220

Django relies on user input in some cases (e.g. ``django.contrib.auth.views.login()`` and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1179675
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0220.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220
Comment 1 Swamp Workflow Management 2015-01-14 23:01:04 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2015-02-12 13:14:31 UTC
If it's not a problem in django itself then we will handle this in VUL-1 since we only ship this for cloud products.
Comment 5 Swamp Workflow Management 2015-02-19 12:21:39 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-03-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60743
Comment 7 Swamp Workflow Management 2015-03-20 23:06:32 UTC
SUSE-SU-2015:0563-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 913053,913054,913055,913056,914706
CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222
Sources used:
SUSE Cloud 4 (src):    python-django-1.5.12-0.7.1
Comment 8 Bernhard Wiedemann 2015-09-09 12:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (913054) was mentioned in
https://build.opensuse.org/request/show/330037 13.1 / python-django
Comment 9 Bernhard Wiedemann 2015-09-09 14:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (913054) was mentioned in
https://build.opensuse.org/request/show/330056 13.1 / python-django
Comment 10 Swamp Workflow Management 2015-09-22 09:12:07 UTC
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 913053,913054,913055,913056,914706,923176,941587
CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963
Sources used:
openSUSE 13.1 (src):    python-django-1.5.12-0.2.11.1
Comment 11 Vincent Untz 2015-10-13 12:34:49 UTC
Unless I'm mistaken, this one has already been released. Can we close as FIXED?
Comment 12 Johannes Segitz 2015-10-14 11:26:19 UTC
yes, this is fixed