Bug 893089 (CVE-2014-0482) - VUL-0: CVE-2014-0482: python-django: RemoteUserMiddleware session hijacking
Summary: VUL-0: CVE-2014-0482: python-django: RemoteUserMiddleware session hijacking
Status: RESOLVED FIXED
Alias: CVE-2014-0482
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-09-05
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/105253/
Whiteboard: maint:released:sle11-sp3-cl4:58830 ma...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-22 08:52 UTC by Alexander Bergmann
Modified: 2014-09-22 18:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-08-22 08:52:55 UTC 
Django Security releases issued

Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)

Django provides a middleware -- django.contrib.auth.middleware.RemoteUserMiddleware -- and an authentication backend, django.contrib.auth.backends.RemoteUserBackend, which use the REMOTE_USER header for authentication purposes.

In some circumstances, use of this middleware and backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions.

To remedy this, the middleware will now ensure that a change to REMOTE_USER without an explicit logout will force a logout and subsequent login prior to accepting the new REMOTE_USER.

Thanks to David Greisen for reporting this issue.

Affected versions

    Django master development branch (currently at pre-alpha status)
    Django 1.7 (currently at release candidate status)
    Django 1.6
    Django 1.5
    Django 1.4

Patches:

Check the djangoproject.com weblog entry.


References:
https://www.djangoproject.com/weblog/2014/aug/20/security/
https://bugzilla.redhat.com/show_bug.cgi?id=1129954
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0482.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482
Comment 1 Swamp Workflow Management 2014-08-22 08:59:50 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58693
Comment 2 SMASH SMASH 2014-08-22 13:20:22 UTC 
Affected packages:

SLE-11-SP3-CLOUD4: python-django
SLE-11-SP3-UPTU: python-django
Comment 3 Vincent Untz 2014-08-22 17:40:34 UTC 
I guess we should just submit the python-django 1.5.9 as an update for Cloud 3 and Cloud 4.

Bernhard, can you take care of this?
Comment 4 Swamp Workflow Management 2014-08-22 22:00:26 UTC 
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2014-09-16 13:05:55 UTC 
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730
Sources used:
openSUSE 13.1 (src):    python-django-1.5.10-0.2.8.1
openSUSE 12.3 (src):    python-django-1.4.15-2.12.1
Comment 8 Marcus Meissner 2014-09-22 12:33:24 UTC 
released
Comment 9 Swamp Workflow Management 2014-09-22 18:04:51 UTC 
SUSE-SU-2014:1153-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 893087,893088,893089,893090
CVE References: CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483
Sources used:
SUSE Cloud 4 (src):    python-django-1.5.10-0.11.1
SUSE Cloud 3 (src):    python-django-1.5.10-0.8.1