Bugzilla – Bug 937523
VUL-0: CVE-2015-5144: python-django: Header injection possibility since validators accept newlines in input
Last modified: 2016-04-27 19:42:42 UTC
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ Header injection possibility since validators accept newlines in input Some of Django's built-in validators (django.core.validators.EmailValidator, most seriously) didn't prohibit newline characters (due to the usage of $ instead of \Z in the regular expressions). If you use values with newlines in HTTP response or email headers, you can suffer from header injection attacks. Django itself isn't vulnerable because django.http.HttpResponse and the mail sending utilities in django.core.mail prohibit newlines in HTTP and SMTP headers, respectively. While the validators have been fixed in Django, if you're creating HTTP responses or email messages in other ways, it's a good idea to ensure that those methods prohibit newlines as well. You might also want to validate that any existing data in your application doesn't contain unexpected newlines. django.core.validators.validate_ipv4_address(), django.core.validators.validate_slug(), and django.core.validators.URLValidator are also affected, however, as of Django 1.6 the GenericIPAddresseField, IPAddressField, SlugField, and URLField form fields which use these validators all strip the input, so the possibility of newlines entering your data only exists if you are using these validators outside of the form fields. The undocumented, internally unused validate_integer() function is now stricter as it validates using a regular expression instead of simply casting the value using int() and checking if an exception was raised. Thanks Sjoerd Job Postmus for reporting the issue. This issue has been assigned the identifier CVE-2015-5144. Fixed in 1.4.21, 1.7.9, and 1.8.3 https://github.com/django/django/commit/014247ad1922931a2f17beaf6249247298e9dc44 References: https://bugzilla.redhat.com/show_bug.cgi?id=1239011 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144 http://www.debian.org/security/2015/dsa-3305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5144
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (937523) was mentioned in https://build.opensuse.org/request/show/338144 13.2 / python-Django
Was submitted in mr#73853/mr#73849.
This is an autogenerated message for OBS integration: This bug (937523) was mentioned in https://build.opensuse.org/request/show/338439 13.1 / python-django
openSUSE-SU-2015:1802-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523 CVE References: CVE-2015-5143,CVE-2015-5144 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.14.1
SUSE-SU-2015:1810-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963 Sources used: SUSE OpenStack Cloud 5 (src): python-Django-1.6.11-10.2
openSUSE-SU-2015:1813-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523 CVE References: CVE-2015-5143,CVE-2015-5144 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.10.1
SUSE-SU-2015:1815-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-8.1
Releasing for SES 2 which is the last affected product. Closing.
SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587,955412 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213 Sources used: SUSE Enterprise Storage 2 (src): python-Django-1.6.11-3.1