CVE-2014-0474

Advisory

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."


CONFIRM:https://www.djangoproject.com/weblog/2014/apr/21/security/: https://www.djangoproject.com/weblog/2014/apr/21/security/
DEBIAN:DSA-2934: http://www.debian.org/security/2014/dsa-2934
REDHAT:RHSA-2014:0456: http://rhn.redhat.com/errata/RHSA-2014-0456.html
REDHAT:RHSA-2014:0457: http://rhn.redhat.com/errata/RHSA-2014-0457.html
SUSE:openSUSE-SU-2014:1132: http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
UBUNTU:USN-2169-1: http://www.ubuntu.com/usn/USN-2169-1
SECUNIA:61281: http://secunia.com/advisories/61281

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
• https://www.djangoproject.com/weblog/2014/apr/21/security/
• http://www.ubuntu.com/usn/USN-2169-1
• http://rhn.redhat.com/errata/RHSA-2014-0457.html
• http://www.debian.org/security/2014/dsa-2934
• http://rhn.redhat.com/errata/RHSA-2014-0456.html
• http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
• http://secunia.com/advisories/61281