Bug 1179685 (CVE-2015-0222) - CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField
Summary: CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-0222
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1181951 1181952
Blocks: 1179508
TreeView+ depends on / blocked
 
Reported: 2015-01-07 10:35 UTC by Martin Prpič
Modified: 2021-02-17 05:51 UTC (History)
16 users (show)

Fixed In Version: Django 1.7.3, Django 1.6.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-14 10:39:14 UTC


Attachments (Terms of Use)
mmc-dos-1.6.x.patch (4.80 KB, text/plain)
2015-01-07 10:36 UTC, Martin Prpič
no flags Details
mmc-dos-1.7.x.patch (5.83 KB, text/plain)
2015-01-07 10:36 UTC, Martin Prpič
no flags Details
mmc-dos-master.patch (5.83 KB, text/plain)
2015-01-07 10:36 UTC, Martin Prpič
no flags Details

Description Martin Prpič 2015-01-07 10:35:36 UTC
The Django project reports the following issue:

"""
Given a form that uses ``ModelMultipleChoiceField`` and ``show_hidden_initial=True`` (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field's data. The validation logic in ``ModelMultipleChoiceField`` now deduplicates submitted values to address this issue.
"""

This issue is resolved in the upstream versions 1.7.3 and 1.6.10.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.

Comment 1 Martin Prpič 2015-01-07 10:36:07 UTC
Created attachment 977200 [details]
mmc-dos-1.6.x.patch

Comment 2 Martin Prpič 2015-01-07 10:36:09 UTC
Created attachment 977201 [details]
mmc-dos-1.7.x.patch

Comment 3 Martin Prpič 2015-01-07 10:36:12 UTC
Created attachment 977202 [details]
mmc-dos-master.patch

Comment 4 Martin Prpič 2015-01-14 07:28:28 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1181951]
Affects: epel-7 [bug 1181952]

Comment 5 Martin Prpič 2015-01-14 07:30:00 UTC
External References:

https://www.djangoproject.com/weblog/2015/jan/13/security/

Comment 6 Fedora Update System 2015-01-26 02:32:37 UTC
python-django-1.6.10-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-27 03:00:25 UTC
python-django14-1.4.18-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-27 03:06:01 UTC
python-django-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-02-05 19:01:51 UTC
python-django-1.6.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Matthias Runge 2016-06-14 10:39:14 UTC
all related bzs have been closed already.


Note You need to log in before you can comment on or make changes to this bug.