Debian DSA-2934-1 : python-django - security update

critical Nessus Plugin ID 74097

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2014-0472 Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() URL resolver function. An attacker able to request a specially crafted view from a Django application could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution.

- CVE-2014-0473 Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. A remote attacker could use this flaw to acquire the CSRF token of a different user and bypass intended CSRF protections in a Django application.

- CVE-2014-0474 Michael Koziarski discovered that certain Django model field classes did not properly perform type conversion on their arguments, which allows remote attackers to obtain unexpected results.

- CVE-2014-1418 Michael Nelson, Natalia Bidart and James Westby discovered that cached data in Django could be served to a different session, or to a user with no session at all. An attacker may use this to retrieve private data or poison caches.

- CVE-2014-3730 Peter Kuma and Gavin Wahl discovered that Django incorrectly validated certain malformed URLs from user input. An attacker may use this to cause unexpected redirects.

Solution

Upgrade the python-django packages.

For the oldstable distribution (squeeze), these problems have been fixed in version 1.2.3-3+squeeze10.

For the stable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u7.

See Also

https://security-tracker.debian.org/tracker/CVE-2014-0472

https://security-tracker.debian.org/tracker/CVE-2014-0473

https://security-tracker.debian.org/tracker/CVE-2014-0474

https://security-tracker.debian.org/tracker/CVE-2014-1418

https://security-tracker.debian.org/tracker/CVE-2014-3730

https://packages.debian.org/source/squeeze/python-django

https://packages.debian.org/source/wheezy/python-django

https://www.debian.org/security/2014/dsa-2934

Plugin Details

Severity: Critical

ID: 74097

File Name: debian_DSA-2934.nasl

Version: 1.8

Type: local

Agent: unix

Published: 5/20/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python-django, cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/19/2014

Reference Information

CVE: CVE-2014-0472, CVE-2014-0473, CVE-2014-0474, CVE-2014-1418, CVE-2014-3730

BID: 67038, 67040, 67041, 67408, 67410

DSA: 2934