Bug 665373 (CVE-2010-4534, CVE-2010-4535)

Summary: CVE-2010-4534, CVE-2010-4535 Information leakage and DoS vulnerabilities in Django < 1.2.4 & 1.1.3
Product: [Other] Security Response Reporter: Luke Macken <lmacken>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmalcolm, jlieskov, michel, pfrields, smilner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-15 19:31:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 665410    
Bug Blocks:    

Description Luke Macken 2010-12-23 13:54:31 UTC
Description of problem:

http://www.djangoproject.com/weblog/2010/dec/22/security/

Comment 1 Jan Lieskovsky 2010-12-23 15:43:26 UTC
1), Information leakage in Django administrative interface

    CVSSv2 score = 3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N
    Upstream changeset (against Django v1.2 version, which is in Fedora);
    http://code.djangoproject.com/changeset/15033     

2), Denial-of-service attack in password-reset mechanism
    CVSSv2 score = 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
    Upstream changeset (against Django v1.2 version, which is in Fedora):
    http://code.djangoproject.com/changeset/15034

Comment 2 Jan Lieskovsky 2010-12-23 15:46:53 UTC
These issues affect the versions of the Django package, as shipped
with Fedora release of 13 and 14.

--

These issues affect the versions of the Django package, as present
within EPEL-4 and EPEL-5 repositories.

Please schedule an update / rebase.

Comment 3 Jan Lieskovsky 2010-12-23 15:49:44 UTC
Created Django tracking bugs for this issue

Affects: fedora-all [bug 665410]

Comment 4 Jan Lieskovsky 2010-12-23 17:08:57 UTC
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/23/4

Comment 5 Jan Lieskovsky 2010-12-23 17:09:50 UTC
(In reply to comment #0)
> Description of problem:
> 
> http://www.djangoproject.com/weblog/2010/dec/22/security/

Thank you for the report, Luke.

Comment 6 Steve Milner 2011-01-03 14:47:19 UTC
I apologize for the late response (was on vacation). Updated packages are being worked on now.

Comment 7 Jan Lieskovsky 2011-01-03 19:30:48 UTC
The following CVE identifiers have been assigned:
http://www.openwall.com/lists/oss-security/2011/01/03/5

1, CVE-2010-4534 -- for the "information leakage in Django administrative
   interface" issue and 

2, CVE-2010-4535 for the "Denial-of-service attack in password-reset mechanism"
   issue.

Comment 8 Kurt Seifried 2014-08-15 19:31:45 UTC
This has been fixed in Fedora/EPEL:

fedora:19/python-django14-1.4.13-1.fc19
fedora:19/python-django-1.5.8-1.fc19
fedora:20/python-django-1.6.5-1.fc20
fedora:20/python-django14-1.4.13-1.fc20
fedora:20/python-django15-1.5.8-4.fc20
fedora:epel:6/Django14-1.4.13-1.el6
fedora:epel:6/python-django15-1.5.6-1.el6
fedora:epel:7/python-django15-1.5.6-1.el7
fedora:epel:7/python-django-1.6.5-1.el7