Bugzilla – Bug 893087
VUL-0: CVE-2014-0480: python-django: reverse() can generate URLs pointing to other hosts, leading to phishing attacks
Last modified: 2014-09-22 18:04:33 UTC
Django Security releases issued Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480) Django includes the helper function django.core.urlresolvers.reverse, typically used to generate a URL from a reference to a view function or URL pattern name. However, when presented with input beginning with two forward-slash characters (//), reverse() could generate scheme-relative URLs to other hosts, allowing an attacker who is aware of unsafe use of reverse() (i.e., in a situation where an end user can control the target of a redirect, to take a common example) to generate links to sites of their choice, enabling phishing and other attacks. To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the scheme. Thanks to Florian Apolloner for reporting this issue. Affected versions Django master development branch (currently at pre-alpha status) Django 1.7 (currently at release candidate status) Django 1.6 Django 1.5 Django 1.4 Patches: Check the djangoproject.com weblog entry. References: https://www.djangoproject.com/weblog/2014/aug/20/security/ https://bugzilla.redhat.com/show_bug.cgi?id=1129950 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0480.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-05. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58693
Affected packages: SLE-11-SP3-CLOUD4: python-django SLE-11-SP3-UPTU: python-django
I guess we should just submit the python-django 1.5.9 as an update for Cloud 3 and Cloud 4. Bernhard, can you take care of this?
bugbot adjusting priority
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090 CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730 Sources used: openSUSE 13.1 (src): python-django-1.5.10-0.2.8.1 openSUSE 12.3 (src): python-django-1.4.15-2.12.1
released
SUSE-SU-2014:1153-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 893087,893088,893089,893090 CVE References: CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483 Sources used: SUSE Cloud 4 (src): python-django-1.5.10-0.11.1 SUSE Cloud 3 (src): python-django-1.5.10-0.8.1