Bug 1129954 (CVE-2014-0482)

Summary: CVE-2014-0482 Django: RemoteUserMiddleware session hijacking
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, carnil, cbillett, chrisw, dallan, gkotton, jrusnack, kseifried, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, tjay, tomckay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: django 1.4.14, django 1.5.9, django 1.6.6, django 1.7-rc3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-26 23:40:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1132773, 1132774, 1132775, 1132776, 1132777, 1132778    
Bug Blocks: 1129960    
Attachments:
Description Flags
1.4 patch
none
1.5 patch
none
1.6 patch none

Description Murray McAllister 2014-08-14 04:49:26 UTC 
The Django project reports the following issue:

""
Django provides a middleware --
``django.contrib.auth.middleware.RemoteUserMiddleware`` -- and an
authentication backend,
``django.contrib.auth.backends.RemoteUserBackend``, which use the
``REMOTE_USER`` header for authentication purposes.

In some circumstances, use of this middleware and backend could result
in one user receiving another user's session, if a change to the
``REMOTE_USER`` header occurred without corresponding logout/login
actions.

To remedy this, the middleware will now ensure that a change to
``REMOTE_USER`` without an explicit logout will force a logout and
subsequent login prior to accepting the new ``REMOTE_USER``.
""

This issue is due to be resolved in the upstream 1.4.14, 1.5.9, 1.6.6, and 1.7 release candidate 3 releases.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges David Greisen as the original reporter.
Comment 2 Murray McAllister 2014-08-14 04:51:16 UTC 
Created attachment 926641 [details]
1.4 patch
Comment 3 Murray McAllister 2014-08-14 04:51:36 UTC 
Created attachment 926642 [details]
1.5 patch
Comment 4 Murray McAllister 2014-08-14 04:52:01 UTC 
Created attachment 926643 [details]
1.6 patch
Comment 5 Murray McAllister 2014-08-22 03:42:47 UTC 
External References:

https://www.djangoproject.com/weblog/2014/aug/20/security/
Comment 6 Murray McAllister 2014-08-22 03:55:30 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1132776]
Comment 7 Murray McAllister 2014-08-22 03:55:34 UTC 
Created python-django15 tracking bugs for this issue:

Affects: fedora-20 [bug 1132775]
Affects: epel-6 [bug 1132777]
Affects: epel-7 [bug 1132778]
Comment 8 Murray McAllister 2014-08-22 03:55:39 UTC 
Created python-django14 tracking bugs for this issue:

Affects: fedora-all [bug 1132774]
Comment 9 Murray McAllister 2014-08-22 03:55:43 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1132773]
Comment 10 Fedora Update System 2014-09-09 22:19:01 UTC 
python-django-1.5.9-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-09-09 22:27:13 UTC 
python-django-1.6.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-09-09 22:27:33 UTC 
python-django14-1.4.14-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-09-10 13:29:47 UTC 
python-django15-1.5.9-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-09-24 03:46:01 UTC 
Django14-1.4.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-12-01 18:58:42 UTC 
python-django14-1.4.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-12-01 18:59:46 UTC 
python-django14-1.4.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.