Launchpad.net

CVE 2014-0472

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Related bugs and status

CVE-2014-0472 (Candidate) is related to these bugs:

Bug #1309779: Unexpected code execution using ``reverse()``

		In	Importance	Status
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu)	Undecided	Fix Released
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu Lucid)	Undecided	Fix Released
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu Trusty)	Undecided	Fix Released
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu Quantal)	Undecided	Fix Released
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu Saucy)	Undecided	Fix Released
1309779	Unexpected code execution using ``reverse()``	python-django (Ubuntu Precise)	Undecided	Fix Released

Bug #1311433: REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'

		In	Importance	Status
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	Django	Unknown	Unknown
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	MAAS	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	MAAS 1.5	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu Quantal)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu Lucid)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu Saucy)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu Trusty)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Ubuntu Precise)	Critical	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	python-django (Debian)	Undecided	New
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu)	Undecided	Fix Released
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu Lucid)	Undecided	Won't Fix
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu Precise)	Undecided	Won't Fix
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu Quantal)	Undecided	Won't Fix
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu Saucy)	Undecided	Won't Fix
1311433	REGRESSION: AttributeError: 'functools.partial' object has no attribute '__module__'	maas (Ubuntu Trusty)	Undecided	Fix Released

Bug #1323929: Sync python-django 1.6.5-1 (main) from Debian sid (main)

Summary				In	Importance	Status
	1323929	Sync python-django 1.6.5-1 (main) from Debian sid (main)		python-django (Ubuntu)	Wishlist	Fix Released

Bug #1644346: SRU update Trusty to Python Django 1.6.11

Summary				In	Importance	Status
	1644346	SRU update Trusty to Python Django 1.6.11		python-django (Ubuntu)	Medium	Invalid
	1644346	SRU update Trusty to Python Django 1.6.11		python-django (Ubuntu Trusty)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://www.djangoproj...
UBUNTU: USN-2169-1
DEBIAN: DSA-2934
REDHAT: RHSA-2014:0456
REDHAT: RHSA-2014:0457
SUSE: openSUSE-SU-2014:1132
SECUNIA: 61281