1179685 – (CVE-2015-0222) CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField

Bug 1179685 (CVE-2015-0222) - CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField

Summary: CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2015-0222
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1181951 1181952
Blocks:	1179508
TreeView+	depends on / blocked

Reported:	2015-01-07 10:35 UTC by Martin Prpič
Modified:	2023-05-12 06:22 UTC (History)
CC List:	16 users (show)
Fixed In Version:	Django 1.7.3, Django 1.6.10
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-14 10:39:14 UTC
Embargoed:

Attachments	(Terms of Use)
mmc-dos-1.6.x.patch (4.80 KB, text/plain) 2015-01-07 10:36 UTC, Martin Prpič	no flags	Details
mmc-dos-1.7.x.patch (5.83 KB, text/plain) 2015-01-07 10:36 UTC, Martin Prpič	no flags	Details
mmc-dos-master.patch (5.83 KB, text/plain) 2015-01-07 10:36 UTC, Martin Prpič	no flags	Details
View All

Description Martin Prpič 2015-01-07 10:35:36 UTC

The Django project reports the following issue:

"""
Given a form that uses ``ModelMultipleChoiceField`` and ``show_hidden_initial=True`` (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field's data. The validation logic in ``ModelMultipleChoiceField`` now deduplicates submitted values to address this issue.
"""

This issue is resolved in the upstream versions 1.7.3 and 1.6.10.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.

Comment 1 Martin Prpič 2015-01-07 10:36:07 UTC

Created attachment 977200 [details]
mmc-dos-1.6.x.patch

Comment 2 Martin Prpič 2015-01-07 10:36:09 UTC

Created attachment 977201 [details]
mmc-dos-1.7.x.patch

Comment 3 Martin Prpič 2015-01-07 10:36:12 UTC

Created attachment 977202 [details]
mmc-dos-master.patch

Comment 4 Martin Prpič 2015-01-14 07:28:28 UTC

Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1181951]
Affects: epel-7 [bug 1181952]

Comment 5 Martin Prpič 2015-01-14 07:30:00 UTC

External References:

https://www.djangoproject.com/weblog/2015/jan/13/security/

Comment 6 Fedora Update System 2015-01-26 02:32:37 UTC

python-django-1.6.10-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-27 03:00:25 UTC

python-django14-1.4.18-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-27 03:06:01 UTC

python-django-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-02-05 19:01:51 UTC

python-django-1.6.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Matthias Runge 2016-06-14 10:39:14 UTC

all related bzs have been closed already.

Note You need to log in before you can comment on or make changes to this bug.