Detections
Analytics

openSUSE Security Update : python-django (openSUSE-SU-2014:1132-1)

critical Nessus Plugin ID 77718

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3 :

 + Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480)

 + Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481)

 + Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482)

 + Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483)

 + Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418)

 + Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730)

 + Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474)

 + Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473)

 + Fixed a remote code execution vulnerability in URL reversing (bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1 :

 + Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480)

 + Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481)

 + Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482)

 + Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483)

 - Update to version 1.5.8 :

 + Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418)

 + Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730)

 + Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474)

 + Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473)

 + Fixed a remote code execution vulnerability in URL reversing (bnc#874950, CVE-2014-0472)

Solution

Update the affected python-django package.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=874950

https://bugzilla.novell.com/show_bug.cgi?id=874955

https://bugzilla.novell.com/show_bug.cgi?id=874956

https://bugzilla.novell.com/show_bug.cgi?id=877993

https://bugzilla.novell.com/show_bug.cgi?id=878641

https://bugzilla.novell.com/show_bug.cgi?id=893087

https://bugzilla.novell.com/show_bug.cgi?id=893088

https://bugzilla.novell.com/show_bug.cgi?id=893089

https://bugzilla.novell.com/show_bug.cgi?id=893090

https://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html

Plugin Details

Severity: Critical

ID: 77718

File Name: openSUSE-2014-542.nasl

Version: 1.5

Type: local

Agent: unix

Published: 9/17/2014

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:python-django, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 9/8/2014

Reference Information

CVE: CVE-2014-0472, CVE-2014-0473, CVE-2014-0474, CVE-2014-0480, CVE-2014-0481, CVE-2014-0482, CVE-2014-0483, CVE-2014-1418, CVE-2014-3730