Bug 878641 (CVE-2014-3730) - VUL-0: CVE-2014-3730: python-django: django.util.http.is_safe_url function
Summary: VUL-0: CVE-2014-3730: python-django: django.util.http.is_safe_url function
Status: VERIFIED FIXED
Alias: CVE-2014-3730
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98860/
Whiteboard: maint:released:sle11-sp3-uptu:57492 m...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-19 13:20 UTC by Sebastian Krahmer
Modified: 2015-02-19 10:32 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2014-05-19 13:20:22 UTC 
CVE-2014-3730

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5
before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate
URLs, which allows remote attackers to conduct open redirect attacks via a
malformed URL, as demonstrated by "http:\\\djangoproject.com."

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730
http://www.cvedetails.com/cve/CVE-2014-3730/
Comment 1 Swamp Workflow Management 2014-05-19 22:00:32 UTC 
bugbot adjusting priority
Comment 3 Ruediger Oertel 2014-05-26 14:46:25 UTC 
looks like the 1.5.4 was fixed but the 1.4.8 for cloud-2.0 still needs fixing.
Comment 9 Johannes Segitz 2014-06-13 11:11:06 UTC 
Issue is handled in SWAMP 57105
Comment 10 Vincent Untz 2014-06-27 10:21:03 UTC 
Reassigning to security team as fix was submitted.
Comment 11 Swamp Workflow Management 2014-06-27 19:46:08 UTC 
Update released for: python-django
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 12 Swamp Workflow Management 2014-06-27 23:05:09 UTC 
SUSE-SU-2014:0851-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-1418,CVE-2014-3730
Sources used:
SUSE Cloud 3 (src):    python-django-1.5.8-0.7.1
Comment 13 Alexander Bergmann 2014-08-19 08:18:09 UTC 
Fix was released. Closing bug.
Comment 14 Swamp Workflow Management 2014-09-16 13:05:16 UTC 
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730
Sources used:
openSUSE 13.1 (src):    python-django-1.5.10-0.2.8.1
openSUSE 12.3 (src):    python-django-1.4.15-2.12.1