Bug 874956 (CVE-2014-0474) - VUL-0: CVE-2014-0474: python-django: MySQL typecasting
Summary: VUL-0: CVE-2014-0474: python-django: MySQL typecasting
Status: RESOLVED FIXED
Alias: CVE-2014-0474
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98213/
Whiteboard: maint:released:sle11-sp3-uptu:57492 m...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-24 07:30 UTC by Alexander Bergmann
Modified: 2015-02-19 01:49 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-24 07:30:21 UTC 
Via rh#1090593:

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0474 to
the following vulnerability:

Name: CVE-2014-0474
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
Assigned: 20131219
Reference: https://www.djangoproject.com/weblog/2014/apr/21/security/

The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11, 1.5.x
before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not
properly perform type conversion, which allows remote attackers to
have unspecified impact and vectors, related to "MySQL typecasting."



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1090593
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
Comment 1 Swamp Workflow Management 2014-04-24 22:00:27 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2014-05-26 06:27:14 UTC 
In the context of SUSE Cloud we always use postgresql,
but from reading postgresql docs, it also does some implicit type conversions.
So to be on the safe side, we should add the patch
or upgrade from 1.4.8 to 1.4.11
Comment 3 Bernhard Wiedemann 2014-05-26 06:52:11 UTC 
err. 1.4.8 was in Cloud 2.0 which is nearly EOL
for Cloud 3+ it is django-1.5.4 to 1.5.8
which includes at least 5 security fixes with hardly any other changes
(apart from doc fixes)
Comment 8 Johannes Segitz 2014-06-13 11:11:59 UTC 
Issue is handled in SWAMP 57105
Comment 9 Vincent Untz 2014-06-27 10:21:00 UTC 
Reassigning to security team as fix was submitted.
Comment 10 Swamp Workflow Management 2014-06-27 19:46:05 UTC 
Update released for: python-django
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 11 Swamp Workflow Management 2014-06-27 23:04:48 UTC 
SUSE-SU-2014:0851-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-1418,CVE-2014-3730
Sources used:
SUSE Cloud 3 (src):    python-django-1.5.8-0.7.1
Comment 12 Marcus Meissner 2014-07-02 11:15:03 UTC 
released
Comment 13 Swamp Workflow Management 2014-09-16 13:04:50 UTC 
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730
Sources used:
openSUSE 13.1 (src):    python-django-1.5.10-0.2.8.1
openSUSE 12.3 (src):    python-django-1.4.15-2.12.1