Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0472 to the following vulnerability: Name: CVE-2014-0472 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472 Assigned: 20131219 Reference: https://www.djangoproject.com/weblog/2014/apr/21/security/ The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
This has been addressed in Fedora 20 and EPEL6: https://admin.fedoraproject.org/updates/Django14-1.4.11-1.el6 https://admin.fedoraproject.org/updates/python-django15-1.5.6-1.fc20 https://admin.fedoraproject.org/updates/python-django14-1.4.11-1.fc20 https://admin.fedoraproject.org/updates/python-django-1.6.3-1.fc20
Note that the initial upstream patch for this introduced a regression. The following patch corrects that regression: https://github.com/django/django/commit/6915220ff9d6eeb2a669421d06bce9403ed6480c The original upstream patch is: https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b (for the 1.6.x branch)
Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Benjamin Bach as the original reporter.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0457 https://rhn.redhat.com/errata/RHSA-2014-0457.html
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0456 https://rhn.redhat.com/errata/RHSA-2014-0456.html