Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0473 to the following vulnerability: Name: CVE-2014-0473 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473 Assigned: 20131219 Reference: https://www.djangoproject.com/weblog/2014/apr/21/security/ The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
This has been addressed in Fedora 20 and EPEL6: https://admin.fedoraproject.org/updates/Django14-1.4.11-1.el6 https://admin.fedoraproject.org/updates/python-django15-1.5.6-1.fc20 https://admin.fedoraproject.org/updates/python-django14-1.4.11-1.fc20 https://admin.fedoraproject.org/updates/python-django-1.6.3-1.fc20
Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Paul McMillan as the original reporter.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0457 https://rhn.redhat.com/errata/RHSA-2014-0457.html
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0456 https://rhn.redhat.com/errata/RHSA-2014-0456.html