Bug 1090588 (CVE-2014-0472)
Summary: | CVE-2014-0472 python-django: unexpected code execution using reverse() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apevec, athomas, ayoung, bkabrda, bkearney, chrisw, gkotton, jdornak, katello-bugs, kseifried, lhh, markmc, mhroncok, michel, mrunge, rbryant, rhos-maint, sclewis, tjay, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | django 1.4.11, django 1.5.6, django 1.6.3, django 1.7b2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-26 23:40:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1027766, 1090687, 1090689, 1161009 | ||
Bug Blocks: | 1090594, 1129960 |
Description
Vincent Danen
2014-04-23 16:45:34 UTC
This has been addressed in Fedora 20 and EPEL6: https://admin.fedoraproject.org/updates/Django14-1.4.11-1.el6 https://admin.fedoraproject.org/updates/python-django15-1.5.6-1.fc20 https://admin.fedoraproject.org/updates/python-django14-1.4.11-1.fc20 https://admin.fedoraproject.org/updates/python-django-1.6.3-1.fc20 Note that the initial upstream patch for this introduced a regression. The following patch corrects that regression: https://github.com/django/django/commit/6915220ff9d6eeb2a669421d06bce9403ed6480c The original upstream patch is: https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b (for the 1.6.x branch) Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Benjamin Bach as the original reporter. This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0457 https://rhn.redhat.com/errata/RHSA-2014-0457.html This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0456 https://rhn.redhat.com/errata/RHSA-2014-0456.html |