Bugzilla – Bug 893090
VUL-0: CVE-2014-0483: python-django: data leakage via querystring manipulation in admin
Last modified: 2014-09-22 18:04:58 UTC
Django Security releases issued Issue: data leakage via querystring manipulation in admin (CVE-2014-0483) Django's administrative interface, django.contrib.admin, offers a feature whereby related objects can be displayed for selection in a popup window. The mechanism for this relies on placing values in the URL and querystring which specify the related model to display and the field through which the relationship is implemented. This mechanism does perform permission checks at the level of the model class as a whole. This mechanism did not, however, verify that the specified field actually represents a relationship between models. Thus a user with access to the admin interface, and with sufficient knowledge of model structure and the appropriate URLs, could construct popup views which would display the values of non-relationship fields, including fields the application developer had not intended to expose in such a fashion. To remedy this, the admin interface will now, in addition to its normal permission checks, verify that the specified field does indeed represent a relationship, to a model registered with the admin, and will raise an exception if either condition is not true. Thanks to Collin Anderson for reporting this issue. Affected versions Django master development branch (currently at pre-alpha status) Django 1.7 (currently at release candidate status) Django 1.6 Django 1.5 Django 1.4 Patches: Check the djangoproject.com weblog entry. References: https://www.djangoproject.com/weblog/2014/aug/20/security/ https://bugzilla.redhat.com/show_bug.cgi?id=1129959 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0483.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-05. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58693
Affected packages: SLE-11-SP3-CLOUD4: python-django SLE-11-SP3-UPTU: python-django
I guess we should just submit the python-django 1.5.9 as an update for Cloud 3 and Cloud 4. Bernhard, can you take care of this?
bugbot adjusting priority
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090 CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730 Sources used: openSUSE 13.1 (src): python-django-1.5.10-0.2.8.1 openSUSE 12.3 (src): python-django-1.4.15-2.12.1
released
SUSE-SU-2014:1153-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 893087,893088,893089,893090 CVE References: CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483 Sources used: SUSE Cloud 4 (src): python-django-1.5.10-0.11.1 SUSE Cloud 3 (src): python-django-1.5.10-0.8.1