Bugzilla – Bug 893088
VUL-0: CVE-2014-0481: python-django: file upload denial of service
Last modified: 2014-09-22 18:04:42 UTC
Django Security releases issued Issue: file upload denial of service (CVE-2014-0481) In the default configuration, when Django's file upload handling system is presented with a file that would have the same on-disk path and name as an existing file, it attempts to generate a new unique filename by appending an underscore and an integer to the end of the (as stored on disk) filename, incrementing the integer (i.e., _1, _2, etc.) until it has generated a name which does not conflict with any existing file. An attacker with knowledge of this can exploit the sequential behavior of filename generation by uploading many tiny files which all share a filename; Django will, in processing them, generate ever-increasing numbers of os.stat() calls as it attempts to generate a unique filename. As a result, even a relatively small number of such uploads can significantly degrade performance. To remedy this, Django's file-upload system will no longer use sequential integer names to avoid filename conflicts on disk; instead, a short random alphanumeric string will be appended, removing the ability to reliably generate many repeatedly-conflicting filenames. Thanks to David Wilson for reporting this issue. Affected versions Django master development branch (currently at pre-alpha status) Django 1.7 (currently at release candidate status) Django 1.6 Django 1.5 Django 1.4 Patches: Check the djangoproject.com weblog entry. References: https://www.djangoproject.com/weblog/2014/aug/20/security/ https://bugzilla.redhat.com/show_bug.cgi?id=1129952 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0481.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-05. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58693
Affected packages: SLE-11-SP3-CLOUD4: python-django SLE-11-SP3-UPTU: python-django
I guess we should just submit the python-django 1.5.9 as an update for Cloud 3 and Cloud 4. Bernhard, can you take care of this?
bugbot adjusting priority
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090 CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730 Sources used: openSUSE 13.1 (src): python-django-1.5.10-0.2.8.1 openSUSE 12.3 (src): python-django-1.4.15-2.12.1
released
SUSE-SU-2014:1153-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 893087,893088,893089,893090 CVE References: CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483 Sources used: SUSE Cloud 4 (src): python-django-1.5.10-0.11.1 SUSE Cloud 3 (src): python-django-1.5.10-0.8.1