Django 1.4.18/1.6.10/1.7.3 update (SUMO)

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: willkg, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

On January 17th, 2014, the Django project will issue a set  of releases to remedy security issues reported. This bug contains descriptions of the issues.

Please read the entirety of this bug. Then on the release day either:

1. apply the update and mark this bug as FIXED, or

2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project

The rest of this bug is directly from the tracker bug


===


Notification is preliminary, details/patches have not yet been released.

Multiple vulnerabilities have been released related to the Django framework. These issues include denial of service issues, and problems with unsanitized user-supplied data that depending on the application could result in security impact.
 
Risk: MEDIUM
Impact type:
- DOS
- Possible system access depending on application / authentication bypass
- Possible end-user credential exposure

CVES:
- CVE-2015-0219 / WSGI header spoofing
- CVE-2015-0220 / XSS attack via user-supplied redirect URLs
- CVE-2015-0221 / DOS against django.views.static.service
- CVE-2015-0222 / DOS against ModelMultipleChoiceField

Affected:
- Django master development branch
- Django 1.7
- Django 1.6
- Django 1.5 (deprecated, not receiving security updates)
- Django 1.4

Resolved versions:
- Django 1.7.3
- Django 1.6.10
- Django 1.4.18
Fixing the blocker. Bah.
Blocks: 1119018
No longer blocks: 1119015
Bah. The security releases come out Tuesday, January **13**, **2015**.
Django Project just issued the security release. Details in their blog post:

https://www.djangoproject.com/weblog/2015/jan/13/security/
Landed: https://github.com/mozilla/kitsune/commit/659f6c9ed913e3b3d832299e155cb8ea2def87fe
Deployed to prod
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Unchecking the boxes since this is done now.
Group: websites-security, mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.