Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2014-542.NASL
HistorySep 17, 2014 - 12:00 a.m.

openSUSE Security Update : python-django (openSUSE-SU-2014:1132-1)

2014-09-1700:00:00
This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18
JSON

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3 :

  • Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480)

  • Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481)

  • Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482)

  • Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483)

  • Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418)

  • Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730)

  • Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  • Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473)

  • Fixed a remote code execution vulnerability in URL reversing (bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1 :

  • Prevented reverse() from generating URLs pointing to other hosts to prevent phishing attacks (bnc#893087, CVE-2014-0480)

  • Removed O(n) algorithm when uploading duplicate file names to fix file upload denial of service (bnc#893088, CVE-2014-0481)

  • Modified RemoteUserMiddleware to logout on REMOTE_USE change to prevent session hijacking (bnc#893089, CVE-2014-0482)

  • Prevented data leakage in contrib.admin via query string manipulation (bnc#893090, CVE-2014-0483)

  • Update to version 1.5.8 :

  • Fixed: Caches may incorrectly be allowed to store and serve private data (bnc#877993, CVE-2014-1418)

  • Fixed: Malformed redirect URLs from user input not correctly validated (bnc#878641, CVE-2014-3730)

  • Fixed queries that may return unexpected results on MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  • Prevented leaking the CSRF token through caching (bnc#874955, CVE-2014-0473)

  • Fixed a remote code execution vulnerability in URL reversing (bnc#874950, CVE-2014-0472)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2014-542.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(77718);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2014-0472", "CVE-2014-0473", "CVE-2014-0474", "CVE-2014-0480", "CVE-2014-0481", "CVE-2014-0482", "CVE-2014-0483", "CVE-2014-1418", "CVE-2014-3730");

  script_name(english:"openSUSE Security Update : python-django (openSUSE-SU-2014:1132-1)");
  script_summary(english:"Check for the openSUSE-2014-542 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3 :

  + Prevented reverse() from generating URLs pointing to
    other hosts to prevent phishing attacks (bnc#893087,
    CVE-2014-0480)

  + Removed O(n) algorithm when uploading duplicate file
    names to fix file upload denial of service (bnc#893088,
    CVE-2014-0481)

  + Modified RemoteUserMiddleware to logout on REMOTE_USE
    change to prevent session hijacking (bnc#893089,
    CVE-2014-0482)

  + Prevented data leakage in contrib.admin via query string
    manipulation (bnc#893090, CVE-2014-0483)

  + Fixed: Caches may incorrectly be allowed to store and
    serve private data (bnc#877993, CVE-2014-1418)

  + Fixed: Malformed redirect URLs from user input not
    correctly validated (bnc#878641, CVE-2014-3730)

  + Fixed queries that may return unexpected results on
    MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  + Prevented leaking the CSRF token through caching
    (bnc#874955, CVE-2014-0473)

  + Fixed a remote code execution vulnerability in URL
    reversing (bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1 :

  + Prevented reverse() from generating URLs pointing to
    other hosts to prevent phishing attacks (bnc#893087,
    CVE-2014-0480)

  + Removed O(n) algorithm when uploading duplicate file
    names to fix file upload denial of service (bnc#893088,
    CVE-2014-0481)

  + Modified RemoteUserMiddleware to logout on REMOTE_USE
    change to prevent session hijacking (bnc#893089,
    CVE-2014-0482)

  + Prevented data leakage in contrib.admin via query string
    manipulation (bnc#893090, CVE-2014-0483)

  - Update to version 1.5.8 :

  + Fixed: Caches may incorrectly be allowed to store and
    serve private data (bnc#877993, CVE-2014-1418)

  + Fixed: Malformed redirect URLs from user input not
    correctly validated (bnc#878641, CVE-2014-3730)

  + Fixed queries that may return unexpected results on
    MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  + Prevented leaking the CSRF token through caching
    (bnc#874955, CVE-2014-0473)

  + Fixed a remote code execution vulnerability in URL
    reversing (bnc#874950, CVE-2014-0472)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874950"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874955"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874956"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=877993"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878641"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=893087"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=893088"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=893089"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=893090"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected python-django package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-django");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/09/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE12.3", reference:"python-django-1.4.15-2.12.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"python-django-1.5.10-0.2.8.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-django");
}
VendorProductVersionCPE
novellopensusepython-djangop-cpe:/a:novell:opensuse:python-django
novellopensuse12.3cpe:/o:novell:opensuse:12.3
novellopensuse13.1cpe:/o:novell:opensuse:13.1

References

Related

fedora 17
openvas 37
osv 20
debian 5
nessus 28
securityvulns 6
gentoo 2
freebsd 2
mageia 3
ubuntu 4
ibm 4
redhat 2
prion 9
ubuntucve 9
github 8
gitlab 6
debiancve 9
cve 9
veracode 1
fedora
fedora
[SECURITY] Fedora 20 Update: python-django-1.6.6-1.fc20
2014-09-09 22:26:59
[SECURITY] Fedora 20 Update: python-django14-1.4.16-1.fc20
2014-12-01 18:59:44
[SECURITY] Fedora 20 Update: python-django14-1.4.14-1.fc20
2014-09-09 22:27:18
openvas
openvas
Fedora Update for python-django FEDORA-2014-9771
2014-09-10 00:00:00
Fedora Update for python-django14 FEDORA-2014-9788
2014-09-10 00:00:00
Fedora Update for python-django14 FEDORA-2014-15266
2014-12-02 00:00:00
osv
osv
python-django - security update
2014-05-19 00:00:00
python-django - security update
2014-08-22 00:00:00
python-django - security update
2014-09-29 00:00:00
debian
debian
[SECURITY] [DSA 2934-1] python-django security update
2014-05-19 20:39:58
[SECURITY] [DSA 2934-1] python-django security update
2014-05-19 20:39:58
[SECURITY] [DSA 3010-1] python-django security update
2014-08-22 20:52:59
nessus
nessus
Mandriva Linux Security Advisory : python-django (MDVSA-2014:113)
2014-06-11 00:00:00
Debian DSA-2934-1 : python-django - security update
2014-05-20 00:00:00
Mandriva Linux Security Advisory : python-django (MDVSA-2014:179)
2014-09-12 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 2934-1] python-django security update
2014-06-14 00:00:00
[SECURITY] [DSA 3010-1] python-django security update
2014-08-26 00:00:00
[oss-security] CVE Reuest: Django: Malformed URLs from user input incorrectly validated
2014-05-15 00:00:00
gentoo
gentoo
Django: Multiple vulnerabilities
2014-06-26 00:00:00
Django: Multiple vulnerabilities
2014-12-13 00:00:00
freebsd
freebsd
django -- multiple vulnerabilities
2014-08-20 00:00:00
django -- multiple vulnerabilities
2014-04-21 00:00:00
mageia
mageia
Updated python-django packages fix multiple vulnerabilities
2014-09-05 13:07:37
Updated python-django packages fix multiple vulnerabilities
2014-04-28 19:54:39
Updated python-django package fix two vulnerabilities
2014-05-19 22:53:32
ubuntu
ubuntu
Django vulnerabilities
2014-09-16 00:00:00
Django regression
2014-04-23 00:00:00
Django vulnerabilities
2014-04-22 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Django affect SmartCloud Provisioning (CVE-2014-0480, CVE-2014-0481, CVE-2014-0482, CVE-2014-0483)
2018-06-17 22:30:12
Security Bulletin: Vulnerabilities in Django affect IBM SmartCloud Provisioning shipped with IBM SmartCloud Orchestrator (CVE-2014-0480, CVE-2014-0481, CVE-2014-0482, CVE-2014-0483).
2018-06-17 22:30:50
Security Bulletin: SmartCloud Provisioning - Django vulnerabilities reported in April 2014 X-Force Report
2018-06-17 22:30:12
redhat
redhat
(RHSA-2014:0456) Moderate: Django security update
2014-04-30 00:00:00
(RHSA-2014:0457) Moderate: Django security update
2014-04-30 00:00:00
prion
prion
Open redirect
2014-05-16 15:55:00
Default configuration
2014-08-26 14:55:00
Cross site request forgery (csrf)
2014-04-23 15:55:00
ubuntucve
ubuntucve
CVE-2014-0481
2014-08-26 00:00:00
CVE-2014-0473
2014-04-22 00:00:00
CVE-2014-3730
2014-05-16 00:00:00
github
github
Django denial of service via file upload naming
2022-05-14 02:05:08
Django Reuses Cached CSRF Token
2022-05-17 03:07:04
Django Vulnerable to MySQL Injection
2022-05-17 03:07:04
gitlab
gitlab
Malformed URLs from user input incorrectly validated
2014-05-16 00:00:00
Caching of anonymous pages could reveal CSRF token
2014-04-23 00:00:00
Unexpected code execution using reverse()
2014-04-23 00:00:00
debiancve
debiancve
CVE-2014-0481
2014-08-26 14:55:00
CVE-2014-0474
2014-04-23 15:55:00
CVE-2014-0472
2014-04-23 15:55:00
cve
cve
CVE-2014-0481
2014-08-26 14:55:00
CVE-2014-3730
2014-05-16 15:55:00
CVE-2014-1418
2014-05-16 15:55:00
veracode
veracode
Remote Code Execution (RCE)
2019-01-15 09:01:30
JSON
Related for OPENSUSE-2014-542.NASL
fedora17openvas37osv20debian5nessus28securityvulns6gentoo2freebsd2mageia3ubuntu4ibm4redhat2prion9ubuntucve9github8gitlab6debiancve9cve9veracode1