Bug 665373 - (CVE-2010-4534, CVE-2010-4535) CVE-2010-4534, CVE-2010-4535 Information leakage and DoS vulnerabilities in Django < 1.2.4 & 1.1.3
CVE-2010-4534, CVE-2010-4535 Information leakage and DoS vulnerabilities in D...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101222,reported=20101223,sou...
: Security
Depends On: 665410
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-23 08:54 EST by Luke Macken
Modified: 2015-07-31 08:30 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-15 15:31:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Luke Macken 2010-12-23 08:54:31 EST
Description of problem:

http://www.djangoproject.com/weblog/2010/dec/22/security/
Comment 1 Jan Lieskovsky 2010-12-23 10:43:26 EST
1), Information leakage in Django administrative interface

    CVSSv2 score = 3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N
    Upstream changeset (against Django v1.2 version, which is in Fedora);
    http://code.djangoproject.com/changeset/15033     

2), Denial-of-service attack in password-reset mechanism
    CVSSv2 score = 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
    Upstream changeset (against Django v1.2 version, which is in Fedora):
    http://code.djangoproject.com/changeset/15034
Comment 2 Jan Lieskovsky 2010-12-23 10:46:53 EST
These issues affect the versions of the Django package, as shipped
with Fedora release of 13 and 14.

--

These issues affect the versions of the Django package, as present
within EPEL-4 and EPEL-5 repositories.

Please schedule an update / rebase.
Comment 3 Jan Lieskovsky 2010-12-23 10:49:44 EST
Created Django tracking bugs for this issue

Affects: fedora-all [bug 665410]
Comment 4 Jan Lieskovsky 2010-12-23 12:08:57 EST
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/23/4
Comment 5 Jan Lieskovsky 2010-12-23 12:09:50 EST
(In reply to comment #0)
> Description of problem:
> 
> http://www.djangoproject.com/weblog/2010/dec/22/security/

Thank you for the report, Luke.
Comment 6 Steve Milner 2011-01-03 09:47:19 EST
I apologize for the late response (was on vacation). Updated packages are being worked on now.
Comment 7 Jan Lieskovsky 2011-01-03 14:30:48 EST
The following CVE identifiers have been assigned:
http://www.openwall.com/lists/oss-security/2011/01/03/5

1, CVE-2010-4534 -- for the "information leakage in Django administrative
   interface" issue and 

2, CVE-2010-4535 for the "Denial-of-service attack in password-reset mechanism"
   issue.
Comment 8 Kurt Seifried 2014-08-15 15:31:45 EDT
This has been fixed in Fedora/EPEL:

fedora:19/python-django14-1.4.13-1.fc19
fedora:19/python-django-1.5.8-1.fc19
fedora:20/python-django-1.6.5-1.fc20
fedora:20/python-django14-1.4.13-1.fc20
fedora:20/python-django15-1.5.8-4.fc20
fedora:epel:6/Django14-1.4.13-1.el6
fedora:epel:6/python-django15-1.5.6-1.el6
fedora:epel:7/python-django15-1.5.6-1.el7
fedora:epel:7/python-django-1.6.5-1.el7

Note You need to log in before you can comment on or make changes to this bug.