-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0631
                     Moderate: Django security update
                                1 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Django
Publisher:         Red Hat
Operating System:  Red Hat
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0474 CVE-2014-0473 CVE-2014-0472

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2014-0456.html
   https://rhn.redhat.com/errata/RHSA-2014-0457.html

Comment: This bulletin contains two (2) Red Hat security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running Django check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Django security update
Advisory ID:       RHSA-2014:0456-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0456.html
Issue date:        2014-04-30
CVE Names:         CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 
=====================================================================

1. Summary:

Updated Django packages that fix three security issues are now available
for Red Hat Enterprise Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch

3. Description:

The Django web framework is used by horizon, the OpenStack Dashboard, which
is a web interface for managing OpenStack services.

A flaw was found in the way Django's reverse() URL resolver function
constructed certain URLs. A remote attacker able to request a specially
crafted view from a Django application could use this flaw to import and
execute arbitrary Python modules on the system under the privileges of the
user running the application. (CVE-2014-0472)

It was found that Django's caching framework reused Cross-Site Request
Forgery (CSRF) nonces for all requests from unauthenticated clients.
A remote attacker could use this flaw to acquire the CSRF token of a
different user and bypass intended CSRF protections in a Django
application. (CVE-2014-0473)

It was discovered that certain Django model field classes did not properly
perform type conversion on their arguments. A remote attacker could use
this flaw to submit a specially crafted SQL query that, when processed by a
Django application using a MySQL database, could have various
application-specific impacts on the MySQL database. (CVE-2014-0474)

Red Hat would like to thank the upstream Django project for reporting this
issue. Upstream acknowledges Benjamin Bach as the original reporter of
CVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and
the Ruby on Rails team, and specifically Michael Koziarski, as the original
reporters of CVE-2014-0474.

All users of OpenStack Dashboard are advised to upgrade to these updated
packages, which resolve these issues. After installing the updated
packages, the httpd daemon must be restarted ("service httpd restart") for
the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1090588 - CVE-2014-0472 python-django: unexpected code execution using reverse()
1090592 - CVE-2014-0473 python-django: caching of anonymous pages could reveal CSRF token
1090593 - CVE-2014-0474 python-django: MySQL typecasting

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 4.0:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/Django14-1.4.11-1.el6ost.src.rpm

noarch:
Django14-1.4.11-1.el6ost.noarch.rpm
Django14-doc-1.4.11-1.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0472.html
https://www.redhat.com/security/data/cve/CVE-2014-0473.html
https://www.redhat.com/security/data/cve/CVE-2014-0474.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTYUrNXlSAg2UNWIIRApoZAJ4wBQXGSWcekQHpDw+KSZ3aGIZ++QCdF2ez
Zh+WfqrYP5Am9GYnSR6tfyg=
=n4Pf
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Django security update
Advisory ID:       RHSA-2014:0457-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0457.html
Issue date:        2014-04-30
CVE Names:         CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 
=====================================================================

1. Summary:

Updated Django packages that fix three security issues are now available
for Red Hat Enterprise Linux OpenStack Platform 3.0.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 3.0 - noarch

3. Description:

The Django web framework is used by horizon, the OpenStack Dashboard, which
is a web interface for managing OpenStack services.

A flaw was found in the way Django's reverse() URL resolver function
constructed certain URLs. A remote attacker able to request a specially
crafted view from a Django application could use this flaw to import and
execute arbitrary Python modules on the system under the privileges of the
user running the application. (CVE-2014-0472)

It was found that Django's caching framework reused Cross-Site Request
Forgery (CSRF) nonces for all requests from unauthenticated clients.
A remote attacker could use this flaw to acquire the CSRF token of a
different user and bypass intended CSRF protections in a Django
application. (CVE-2014-0473)

It was discovered that certain Django model field classes did not properly
perform type conversion on their arguments. A remote attacker could use
this flaw to submit a specially crafted SQL query that, when processed by a
Django application using a MySQL database, could have various
application-specific impacts on the MySQL database. (CVE-2014-0474)

Red Hat would like to thank the upstream Django project for reporting this
issue. Upstream acknowledges Benjamin Bach as the original reporter of
CVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and
the Ruby on Rails team, and specifically Michael Koziarski, as the original
reporters of CVE-2014-0474.

All users of OpenStack Dashboard are advised to upgrade to these updated
packages, which resolve these issues. After installing the updated
packages, the httpd daemon must be restarted ("service httpd restart") for
the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1090588 - CVE-2014-0472 python-django: unexpected code execution using reverse()
1090592 - CVE-2014-0473 python-django: caching of anonymous pages could reveal CSRF token
1090593 - CVE-2014-0474 python-django: MySQL typecasting

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 3.0:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/Django14-1.4.11-1.el6ost.src.rpm

noarch:
Django14-1.4.11-1.el6ost.noarch.rpm
Django14-doc-1.4.11-1.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0472.html
https://www.redhat.com/security/data/cve/CVE-2014-0473.html
https://www.redhat.com/security/data/cve/CVE-2014-0474.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTYUriXlSAg2UNWIIRAiBbAKCzfNCxWKz7qUgoLxW500wxbknLMACfVCl1
0K4g9NY90xpK59DV0IKh/cE=
=vRtE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU2GfghLndAQH1ShLAQLDuw/+IYQVbPYoby0BI+Y6QU1qNmoc17NTflYw
5Lj03eUQA4dqgA71sZK36anfo1dCljyuXp/W5tZYyqX6r5rOQeFQ5Dhf5m/RQtpS
xM8fSUvjoppm60aLGzNArUhmS9N/5MGNgUtq0bB+52ymvCfELiHAEivjLOnXJ9j3
6bXxYrHjZUNmH/vNu5Y7VZbfw+llMq0oUmERs+9Rv3NAqeduHLZB2vUh9pGzVkUk
XjBCefhoBhNQAlTuN2n3KED8uf3fe9ElQbHYwKMpwk3tq5Zf1usFe546JCrng5+a
zH8r0j9eCF5ZoY0LK+8EjzZAhIzh00BhvvbGV2iUl3ErgcsIOuPImiljx9iIhW33
S48cYUfCU2z7bSH7BBmmk9tSj844T+Xf7uVcZ5dwsNTmzmliU+9PABEE5YjKiIGF
3oQRJPrzh8FqlAJfCgB2WXh+wOFZDc1nYBC6lrUKrrdSG3uQb9LJ81f9C64tNptm
U867lxv3kuoDbOuyImJ6T4HJO23Jzav5Y8TBhIfHIPnQpfiLKW7qfN1bdQ3A2L8V
mSFyYQhhw6Tr0xse4R3VQ/fBMeKiIUIS9dXTX36q1U2EMPK0FSMKhKU+s1z56nqK
yC0plpBDdtoKutzolf5qsHC1zQyTEHL0wFKG3O+vcLfKjgx5NrEpnpIGgRBw+WxU
DaPWOlSEFsg=
=joQU
-----END PGP SIGNATURE-----