openSUSE Security Update : python-django (openSUSE-SU-2014:1132-1)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3 :

+ Prevented reverse() from generating URLs pointing to
other hosts to prevent phishing attacks (bnc#893087,
CVE-2014-0480)

+ Removed O(n) algorithm when uploading duplicate file
names to fix file upload denial of service (bnc#893088,
CVE-2014-0481)

+ Modified RemoteUserMiddleware to logout on REMOTE_USE
change to prevent session hijacking (bnc#893089,
CVE-2014-0482)

+ Prevented data leakage in contrib.admin via query string
manipulation (bnc#893090, CVE-2014-0483)

+ Fixed: Caches may incorrectly be allowed to store and
serve private data (bnc#877993, CVE-2014-1418)

+ Fixed: Malformed redirect URLs from user input not
correctly validated (bnc#878641, CVE-2014-3730)

+ Fixed queries that may return unexpected results on
MySQL due to typecasting (bnc#874956, CVE-2014-0474)

+ Prevented leaking the CSRF token through caching
(bnc#874955, CVE-2014-0473)

+ Fixed a remote code execution vulnerability in URL
reversing (bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1 :

+ Prevented reverse() from generating URLs pointing to
other hosts to prevent phishing attacks (bnc#893087,
CVE-2014-0480)

+ Removed O(n) algorithm when uploading duplicate file
names to fix file upload denial of service (bnc#893088,
CVE-2014-0481)

+ Modified RemoteUserMiddleware to logout on REMOTE_USE
change to prevent session hijacking (bnc#893089,
CVE-2014-0482)

+ Prevented data leakage in contrib.admin via query string
manipulation (bnc#893090, CVE-2014-0483)

- Update to version 1.5.8 :

+ Fixed: Caches may incorrectly be allowed to store and
serve private data (bnc#877993, CVE-2014-1418)

+ Fixed: Malformed redirect URLs from user input not
correctly validated (bnc#878641, CVE-2014-3730)

+ Fixed queries that may return unexpected results on
MySQL due to typecasting (bnc#874956, CVE-2014-0474)

+ Prevented leaking the CSRF token through caching
(bnc#874955, CVE-2014-0473)

+ Fixed a remote code execution vulnerability in URL
reversing (bnc#874950, CVE-2014-0472)

See also :

http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
https://bugzilla.novell.com/show_bug.cgi?id=874950
https://bugzilla.novell.com/show_bug.cgi?id=874955
https://bugzilla.novell.com/show_bug.cgi?id=874956
https://bugzilla.novell.com/show_bug.cgi?id=877993
https://bugzilla.novell.com/show_bug.cgi?id=878641
https://bugzilla.novell.com/show_bug.cgi?id=893087
https://bugzilla.novell.com/show_bug.cgi?id=893088
https://bugzilla.novell.com/show_bug.cgi?id=893089
https://bugzilla.novell.com/show_bug.cgi?id=893090

Solution :

Update the affected python-django package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 77718 ()

Bugtraq ID:

CVE ID: CVE-2014-0472
CVE-2014-0473
CVE-2014-0474
CVE-2014-0480
CVE-2014-0481
CVE-2014-0482
CVE-2014-0483
CVE-2014-1418
CVE-2014-3730

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now