Bugzilla – Bug 913055
VUL-1: CVE-2015-0222: python-django: database denial of service with ModelMultipleChoiceField
Last modified: 2015-10-14 11:25:37 UTC
CVE-2015-0222 Given a form that uses ``ModelMultipleChoiceField`` and ``show_hidden_initial=True`` (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field's data. The validation logic in ``ModelMultipleChoiceField`` now deduplicates submitted values to address this issue. References: https://bugzilla.redhat.com/show_bug.cgi?id=1179685 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0222.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222
bugbot adjusting priority
Since this only happens in non-default configurations we will include this in a later update.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-03-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60743
SUSE-SU-2015:0563-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (low) Bug References: 913053,913054,913055,913056,914706 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222 Sources used: SUSE Cloud 4 (src): python-django-1.5.12-0.7.1
This is an autogenerated message for OBS integration: This bug (913055) was mentioned in https://build.opensuse.org/request/show/292722 13.2 / python-Django
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.4.1
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
This is an autogenerated message for OBS integration: This bug (913055) was mentioned in https://build.opensuse.org/request/show/330037 13.1 / python-django
This is an autogenerated message for OBS integration: This bug (913055) was mentioned in https://build.opensuse.org/request/show/330056 13.1 / python-django
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 913053,913054,913055,913056,914706,923176,941587 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.11.1
Unless I'm mistaken, this one has already been released. Can we close as FIXED?
yes, this is fixed