Bug 460966 - (CVE-2008-3909) CVE-2008-3909 Django: CSRF issue fixed in 0.96.3
CVE-2008-3909 Django: CSRF issue fixed in 0.96.3
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Django (Show other bugs)
9
All All
high Severity high
: ---
: ---
Assigned To: Michel Alexandre Salim
Fedora Extras Quality Assurance
http://www.djangoproject.com/weblog/2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-02 20:57 EDT by Steve Milner
Modified: 2008-09-10 02:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.96.3-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-06 10:38:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Milner 2008-09-02 20:57:03 EDT
Description of problem:
The following was reported today to the public (Sept, 2, 2008) via the Django main site:

The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.

Version-Release number of selected component (if applicable):
 Django-0.96.2-1

Extra Info
Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Comment 1 James Bennett 2008-09-02 21:14:21 EDT
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list.
Comment 2 Michel Alexandre Salim 2008-09-02 21:43:11 EDT
What e-mail address was used for the advance notification? I just checked and could not find the e-mail.

Please use salimma@fedoraproject.org or michel.sylvan@gmail.com -- preferably the former. Thanks.

Working on the new release now.
Comment 3 James Bennett 2008-09-02 21:59:22 EDT
I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future.
Comment 4 Fedora Update System 2008-09-02 22:26:54 EDT
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 5 Fedora Update System 2008-09-02 22:28:45 EDT
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 6 Fedora Update System 2008-09-02 22:29:32 EDT
Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8
Comment 7 Tomas Hoger 2008-09-04 14:11:58 EDT
CVE id CVE-2008-3909 was assigned to this issue:

The administration application in Django 0.91, 0.95, and 0.96 stores
unauthenticated HTTP POST requests and processes them after successful
authentication occurs, which allows remote attackers to conduct
cross-site request forgery (CSRF) attacks and delete or modify data
via unspecified requests.
Comment 8 Michel Alexandre Salim 2008-09-06 10:38:40 EDT
Update has been marked stable, but for some reason the bug is not automatically closed; closing now.
Comment 9 Fedora Update System 2008-09-10 02:35:46 EDT
Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-09-10 02:40:49 EDT
Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.