Reference: MLIST:[oss-security] 20090729 CVE Request (django) Reference: URL:http://www.openwall.com/lists/oss-security/2009/07/29/2 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134 Reference: CONFIRM:http://code.djangoproject.com/changeset/11353 Reference: CONFIRM:http://www.djangoproject.com/weblog/2009/jul/28/security/ Reference: BID:35859 Reference: URL:http://www.securityfocus.com/bid/35859 The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
Created django tracking bugs for this issue CVE-2009-2659 Affects: F10 [bug #515582] CVE-2009-2659 Affects: F11 [bug #515583] CVE-2009-2659 Affects: Fdevel [bug #515584]
This issue is public, no need for private bug.
These should all be resolved in the current release. I don't have access to close bug #515582 or bug #515583. I believe they can be closed as well.
Done. All closed. All versions of Fedora have been updated: Fedora-10: http://koji.fedoraproject.org/packages/Django/1.0.3/6.fc10 Fedora-10-testing: http://koji.fedoraproject.org/packages/Django/1.1/4.fc10 Fedora-11: http://koji.fedoraproject.org/packages/Django/1.1/4.fc11 Fedora-11-candidate: http://koji.fedoraproject.org/packages/Django/1.0.3/2.fc11 Fedora-Rawhide: http://koji.fedoraproject.org/packages/Django/1.1/4.fc12