Updated Django packages that fix three security issues are now availablefor Red Hat Enterprise Linux OpenStack Platform 3.0.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.
The Django web framework is used by horizon, the OpenStack Dashboard, whichis a web interface for managing OpenStack services.A flaw was found in the way Django’s reverse() URL resolver functionconstructed certain URLs. A remote attacker able to request a speciallycrafted view from a Django application could use this flaw to import andexecute arbitrary Python modules on the system under the privileges of theuser running the application. (CVE-2014-0472)It was found that Django’s caching framework reused Cross-Site RequestForgery (CSRF) nonces for all requests from unauthenticated clients.A remote attacker could use this flaw to acquire the CSRF token of adifferent user and bypass intended CSRF protections in a Djangoapplication. (CVE-2014-0473)It was discovered that certain Django model field classes did not properlyperform type conversion on their arguments. A remote attacker could usethis flaw to submit a specially crafted SQL query that, when processed by aDjango application using a MySQL database, could have variousapplication-specific impacts on the MySQL database. (CVE-2014-0474)Red Hat would like to thank the upstream Django project for reporting thisissue. Upstream acknowledges Benjamin Bach as the original reporter ofCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, andthe Ruby on Rails team, and specifically Michael Koziarski, as the originalreporters of CVE-2014-0474.All users of OpenStack Dashboard are advised to upgrade to these updatedpackages, which resolve these issues. After installing the updatedpackages, the httpd daemon must be restarted (“service httpd restart”) forthe update to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258
1090588 – CVE-2014-0472 python-django: unexpected code execution using reverse()1090592 – CVE-2014-0473 python-django: caching of anonymous pages could reveal CSRF token1090593 – CVE-2014-0474 python-django: MySQL typecasting
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: