Bugzilla – Bug 913056
VUL-1: CVE-2015-0221: python-django: denial of service attack against django.views.static.serve
Last modified: 2015-09-22 09:12:29 UTC
CVE-2015-0221 In older versions of Django, the ``django.views.static.serve()`` view read the files it served one line at a time. Therefore, a big file with no newlines would result in memory usage equal to the size of that file. An attacker could exploit this and launch a denial-of-service attack by simultaneously requesting many large files. This view now reads the file in chunks to prevent large memory usage. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. References: https://bugzilla.redhat.com/show_bug.cgi?id=1179679 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0221.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-03-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60743
SUSE-SU-2015:0563-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (low) Bug References: 913053,913054,913055,913056,914706 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222 Sources used: SUSE Cloud 4 (src): python-django-1.5.12-0.7.1
This is an autogenerated message for OBS integration: This bug (913056) was mentioned in https://build.opensuse.org/request/show/292722 13.2 / python-Django
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.4.1
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
All show as released.
This is an autogenerated message for OBS integration: This bug (913056) was mentioned in https://build.opensuse.org/request/show/330037 13.1 / python-django
This is an autogenerated message for OBS integration: This bug (913056) was mentioned in https://build.opensuse.org/request/show/330056 13.1 / python-django
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 913053,913054,913055,913056,914706,923176,941587 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.11.1