Closed
Bug 1119305
Opened 9 years ago
Closed 9 years ago
Django 1.4.18/1.6.10/1.7.3 update (Input)
Categories
(Input :: General, defect, P1)
Input
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: willkg, Assigned: willkg)
Details
(Whiteboard: u=dev c=codequality p=1 s=input.2015q1)
On January 17th, 2014, the Django project will issue a set of releases to remedy security issues reported. This bug contains descriptions of the issues. Please read the entirety of this bug. Then on the release day either: 1. apply the update and mark this bug as FIXED, or 2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project The rest of this bug is directly from the tracker bug === Notification is preliminary, details/patches have not yet been released. Multiple vulnerabilities have been released related to the Django framework. These issues include denial of service issues, and problems with unsanitized user-supplied data that depending on the application could result in security impact. Risk: MEDIUM Impact type: - DOS - Possible system access depending on application / authentication bypass - Possible end-user credential exposure CVES: - CVE-2015-0219 / WSGI header spoofing - CVE-2015-0220 / XSS attack via user-supplied redirect URLs - CVE-2015-0221 / DOS against django.views.static.service - CVE-2015-0222 / DOS against ModelMultipleChoiceField Affected: - Django master development branch - Django 1.7 - Django 1.6 - Django 1.5 (deprecated, not receiving security updates) - Django 1.4 Resolved versions: - Django 1.7.3 - Django 1.6.10 - Django 1.4.18
Assignee | ||
Comment 2•9 years ago
|
||
Bah. The security releases come out Tuesday, January **13**, **2015**.
Assignee | ||
Comment 3•9 years ago
|
||
Django Project just issued the security release. Details in their blog post: https://www.djangoproject.com/weblog/2015/jan/13/security/
Assignee | ||
Comment 4•9 years ago
|
||
The release doesn't seem to have anything that affects Input. I'm going to wait until Monday to update since we avoid pushing during release week.
Assignee | ||
Comment 6•9 years ago
|
||
Sticking it in this quarter.
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: u=dev c=codequality p=1 s=input.2015q1
Assignee | ||
Comment 7•9 years ago
|
||
PR: https://github.com/mozilla/fjord/pull/453 Landed in master: https://github.com/mozilla/fjord/commit/08baebb7264a3702a4d794725594cff281abf5bb Pushed to prod just now.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 8•9 years ago
|
||
This is fixed now, so I'm un-hiding it.
Group: websites-security, mozilla-employee-confidential
You need to log in
before you can comment on or make changes to this bug.
Description
•