Debian Local Security Checks : Debian: Security Advisory (DLA-65-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.1.2.2014.65

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DLA-65-1)

Summary: The remote host is missing an update for the Debian 'python-django' package(s) announced via the DLA-65-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'python-django' package(s) announced via the DLA-65-1 advisory.

Vulnerability Insight:
This update address an issue with reverse() generating external URLs, a denial of service involving file uploads, a potential session hijacking issue in the remote-user middleware, and a data leak in the administrative interface.

This update has been brought to you thanks to the Debian LTS sponsors: [link moved to references]

CVE-2014-0480

Django includes the helper function django.core.urlresolvers.reverse, typically used to generate a URL from a reference to a view function or URL pattern name. However, when presented with input beginning with two forward-slash characters (//), reverse() could generate scheme-relative URLs to other hosts, allowing an attacker who is aware of unsafe use of reverse() (i.e., in a situation where an end user can control the target of a redirect, to take a common example) to generate links to sites of their choice, enabling phishing and other attacks.

To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme.

CVE-2014-0481

In the default configuration, when Django's file upload handling system is presented with a file that would have the same on-disk path and name as an existing file, it attempts to generate a new unique filename by appending an underscore and an integer to the end of the (as stored on disk) filename, incrementing the integer (i.e., _1, _2, etc.) until it has generated a name which does not conflict with any existing file.

An attacker with knowledge of this can exploit the sequential behavior of filename generation by uploading many tiny files which all share a filename, Django will, in processing them, generate ever-increasing numbers of os.stat() calls as it attempts to generate a unique filename. As a result, even a relatively small number of such uploads can significantly degrade performance.

To remedy this, Django's file-upload system will no longer use sequential integer names to avoid filename conflicts on disk, instead, a short random alphanumeric string will be appended, removing the ability to reliably generate many repeatedly-conflicting filenames.

CVE-2014-0482

Django provides a middleware django.contrib.auth.middleware.RemoteUserMiddleware -- and an authentication backend, django.contrib.auth.backends.RemoteUserBackend, which use the REMOTE_USER header for authentication purposes.

In some circumstances, use of this middleware and backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions.

To remedy this, the middleware will now ensure that a change to REMOTE_USER without an explicit logout will force a logout and subsequent login prior to accepting the new REMOTE_USER.

CVE-2014-0483

Django's ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'python-django' package(s) on Debian 6.

Solution:
Please install the updated package(s).

CVSS Score:
6.0

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-0480
BugTraq ID: 69425
http://www.securityfocus.com/bid/69425
Debian Security Information: DSA-3010 (Google Search)
http://www.debian.org/security/2014/dsa-3010
http://secunia.com/advisories/59782
http://secunia.com/advisories/61276
http://secunia.com/advisories/61281
SuSE Security Announcement: openSUSE-SU-2014:1132 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
Common Vulnerability Exposure (CVE) ID: CVE-2014-0481
Common Vulnerability Exposure (CVE) ID: CVE-2014-0482
Common Vulnerability Exposure (CVE) ID: CVE-2014-0483

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2014.65
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-65-1)
Summary:	The remote host is missing an update for the Debian 'python-django' package(s) announced via the DLA-65-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'python-django' package(s) announced via the DLA-65-1 advisory. Vulnerability Insight: This update address an issue with reverse() generating external URLs, a denial of service involving file uploads, a potential session hijacking issue in the remote-user middleware, and a data leak in the administrative interface. This update has been brought to you thanks to the Debian LTS sponsors: [link moved to references] CVE-2014-0480 Django includes the helper function django.core.urlresolvers.reverse, typically used to generate a URL from a reference to a view function or URL pattern name. However, when presented with input beginning with two forward-slash characters (//), reverse() could generate scheme-relative URLs to other hosts, allowing an attacker who is aware of unsafe use of reverse() (i.e., in a situation where an end user can control the target of a redirect, to take a common example) to generate links to sites of their choice, enabling phishing and other attacks. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme. CVE-2014-0481 In the default configuration, when Django's file upload handling system is presented with a file that would have the same on-disk path and name as an existing file, it attempts to generate a new unique filename by appending an underscore and an integer to the end of the (as stored on disk) filename, incrementing the integer (i.e., _1, _2, etc.) until it has generated a name which does not conflict with any existing file. An attacker with knowledge of this can exploit the sequential behavior of filename generation by uploading many tiny files which all share a filename, Django will, in processing them, generate ever-increasing numbers of os.stat() calls as it attempts to generate a unique filename. As a result, even a relatively small number of such uploads can significantly degrade performance. To remedy this, Django's file-upload system will no longer use sequential integer names to avoid filename conflicts on disk, instead, a short random alphanumeric string will be appended, removing the ability to reliably generate many repeatedly-conflicting filenames. CVE-2014-0482 Django provides a middleware django.contrib.auth.middleware.RemoteUserMiddleware -- and an authentication backend, django.contrib.auth.backends.RemoteUserBackend, which use the REMOTE_USER header for authentication purposes. In some circumstances, use of this middleware and backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions. To remedy this, the middleware will now ensure that a change to REMOTE_USER without an explicit logout will force a logout and subsequent login prior to accepting the new REMOTE_USER. CVE-2014-0483 Django's ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'python-django' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 6.0 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0480 BugTraq ID: 69425 http://www.securityfocus.com/bid/69425 Debian Security Information: DSA-3010 (Google Search) http://www.debian.org/security/2014/dsa-3010 http://secunia.com/advisories/59782 http://secunia.com/advisories/61276 http://secunia.com/advisories/61281 SuSE Security Announcement: openSUSE-SU-2014:1132 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html Common Vulnerability Exposure (CVE) ID: CVE-2014-0481 Common Vulnerability Exposure (CVE) ID: CVE-2014-0482 Common Vulnerability Exposure (CVE) ID: CVE-2014-0483
Copyright	Copyright (C) 2023 Greenbone AG