Bug 937523 - (CVE-2015-5144) VUL-0: CVE-2015-5144: python-django: Header injection possibility since validators accept newlines in input
(CVE-2015-5144)
VUL-0: CVE-2015-5144: python-django: Header injection possibility since valid...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/118502/
CVSSv2:NVD:CVE-2015-5144:4.3:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-09 11:42 UTC by Andreas Stieger
Modified: 2016-04-27 19:42 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-07-09 11:42:53 UTC
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/

Header injection possibility since validators accept newlines in input

Some of Django's built-in validators (django.core.validators.EmailValidator, most seriously) didn't prohibit newline characters (due to the usage of $ instead of \Z in the regular expressions). If you use values with newlines in HTTP response or email headers, you can suffer from header injection attacks. Django itself isn't vulnerable because django.http.HttpResponse and the mail sending utilities in django.core.mail prohibit newlines in HTTP and SMTP headers, respectively. While the validators have been fixed in Django, if you're creating HTTP responses or email messages in other ways, it's a good idea to ensure that those methods prohibit newlines as well. You might also want to validate that any existing data in your application doesn't contain unexpected newlines.

django.core.validators.validate_ipv4_address(), django.core.validators.validate_slug(), and django.core.validators.URLValidator are also affected, however, as of Django 1.6 the GenericIPAddresseField, IPAddressField, SlugField, and URLField form fields which use these validators all strip the input, so the possibility of newlines entering your data only exists if you are using these validators outside of the form fields.

The undocumented, internally unused validate_integer() function is now stricter as it validates using a regular expression instead of simply casting the value using int() and checking if an exception was raised.

Thanks Sjoerd Job Postmus for reporting the issue.

This issue has been assigned the identifier CVE-2015-5144.


Fixed in 1.4.21, 1.7.9, and 1.8.3
https://github.com/django/django/commit/014247ad1922931a2f17beaf6249247298e9dc44

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1239011
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144
http://www.debian.org/security/2015/dsa-3305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5144
Comment 1 Swamp Workflow Management 2015-07-09 22:00:21 UTC
bugbot adjusting priority
Comment 4 Bernhard Wiedemann 2015-10-12 14:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (937523) was mentioned in
https://build.opensuse.org/request/show/338144 13.2 / python-Django
Comment 5 Vincent Untz 2015-10-13 12:11:13 UTC
Was submitted in mr#73853/mr#73849.
Comment 6 Bernhard Wiedemann 2015-10-13 13:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (937523) was mentioned in
https://build.opensuse.org/request/show/338439 13.1 / python-django
Comment 7 Swamp Workflow Management 2015-10-22 08:10:07 UTC
openSUSE-SU-2015:1802-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523
CVE References: CVE-2015-5143,CVE-2015-5144
Sources used:
openSUSE 13.1 (src):    python-django-1.5.12-0.2.14.1
Comment 8 Swamp Workflow Management 2015-10-23 09:09:59 UTC
SUSE-SU-2015:1810-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963
Sources used:
SUSE OpenStack Cloud 5 (src):    python-Django-1.6.11-10.2
Comment 9 Swamp Workflow Management 2015-10-23 15:10:19 UTC
openSUSE-SU-2015:1813-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523
CVE References: CVE-2015-5143,CVE-2015-5144
Sources used:
openSUSE 13.2 (src):    python-Django-1.6.11-3.10.1
Comment 10 Swamp Workflow Management 2015-10-23 16:10:09 UTC
SUSE-SU-2015:1815-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-8.1
Comment 11 Andreas Stieger 2016-01-07 11:07:02 UTC
Releasing for SES 2 which is the last affected product. Closing.
Comment 12 Swamp Workflow Management 2016-01-07 14:12:14 UTC
SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587,955412
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213
Sources used:
SUSE Enterprise Storage 2 (src):    python-Django-1.6.11-3.1