-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:109 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python-django Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated python-django packages fix security vulnerabilities: Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments (CVE-2015-0219). Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack (CVE-2015-0220). Alex Gaynor discovered that Django incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service (CVE-2015-0221). Keryn Knight discovered that Django incorrectly handled forms with ModelMultipleChoiceField. A remote attacker could possibly use this issue to cause a large number of SQL queries, resulting in a database denial of service. Note that this issue only affected python-django (CVE-2015-0222). Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a \@property (CVE-2015-2241). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2241 http://advisories.mageia.org/MGASA-2015-0026.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: f5401bdad08aa38aeb7d7b722e663128 mbs2/x86_64/python3-django-1.7.7-1.mbs2.noarch.rpm e47fddab7db9e487deb8974880ba475b mbs2/x86_64/python-django-1.7.7-1.mbs2.noarch.rpm f9022725b658fd13fe8c2a32ff5a3bbf mbs2/x86_64/python-django-bash-completion-1.7.7-1.mbs2.noarch.rpm ce25238c42af0efb885ae649890fed2e mbs2/x86_64/python-django-doc-1.7.7-1.mbs2.noarch.rpm f2f73820c324f1a946d0d55557fd24c2 mbs2/SRPMS/python-django-1.7.7-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF65FmqjQ0CJFipgRAoCpAJ4tltdOhv5kH910mcxuKav8lzWvAQCgzCms XU8NmaHGkEIz/RuwYxv7+L4= =oy1V -----END PGP SIGNATURE-----