Closed Bug 1119305 Opened 9 years ago Closed 9 years ago

Django 1.4.18/1.6.10/1.7.3 update (Input)

Categories

(Input :: General, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: willkg, Assigned: willkg)

Details

(Whiteboard: u=dev c=codequality p=1 s=input.2015q1)

On January 17th, 2014, the Django project will issue a set  of releases to remedy security issues reported. This bug contains descriptions of the issues.

Please read the entirety of this bug. Then on the release day either:

1. apply the update and mark this bug as FIXED, or

2. verify this doesn't apply to your project and close this bug with a WONTFIX plus an explanation of why these don't apply to your project

The rest of this bug is directly from the tracker bug


===


Notification is preliminary, details/patches have not yet been released.

Multiple vulnerabilities have been released related to the Django framework. These issues include denial of service issues, and problems with unsanitized user-supplied data that depending on the application could result in security impact.
 
Risk: MEDIUM
Impact type:
- DOS
- Possible system access depending on application / authentication bypass
- Possible end-user credential exposure

CVES:
- CVE-2015-0219 / WSGI header spoofing
- CVE-2015-0220 / XSS attack via user-supplied redirect URLs
- CVE-2015-0221 / DOS against django.views.static.service
- CVE-2015-0222 / DOS against ModelMultipleChoiceField

Affected:
- Django master development branch
- Django 1.7
- Django 1.6
- Django 1.5 (deprecated, not receiving security updates)
- Django 1.4

Resolved versions:
- Django 1.7.3
- Django 1.6.10
- Django 1.4.18
Fixing the blocker. Bah.
No longer blocks: 1119015
Bah. The security releases come out Tuesday, January **13**, **2015**.
Django Project just issued the security release. Details in their blog post:

https://www.djangoproject.com/weblog/2015/jan/13/security/
The release doesn't seem to have anything that affects Input. I'm going to wait until Monday to update since we avoid pushing during release week.
Grabbing it.
Assignee: nobody → willkg
Sticking it in this quarter.
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: u=dev c=codequality p=1 s=input.2015q1
PR: https://github.com/mozilla/fjord/pull/453

Landed in master: https://github.com/mozilla/fjord/commit/08baebb7264a3702a4d794725594cff281abf5bb

Pushed to prod just now.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
This is fixed now, so I'm un-hiding it.
Group: websites-security, mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.