1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3010-1] python-django security update

    From Salvatore Bonaccorso@1:229/2 to All on Fri Aug 22 23:00:02 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3010-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 22, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : python-django
    CVE ID : CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483

    Several vulnerabilities were discovered in Django, a high-level Python
    web development framework. The Common Vulnerabilities and Exposures
    project identifies the following problems:

    CVE-2014-0480

    Florian Apolloner discovered that in certain situations, URL
    reversing could generate scheme-relative URLs which could
    unexpectedly redirect a user to a different host, leading to
    phishing attacks.

    CVE-2014-0481

    David Wilson reported a file upload denial of service vulnerability.
    Django's file upload handling in its default configuration may
    degrade to producing a huge number of `os.stat()` system calls when
    a duplicate filename is uploaded. A remote attacker with the ability
    to upload files can cause poor performance in the upload handler,
    eventually causing it to become very slow.

    CVE-2014-0482

    David Greisen discovered that under some circumstances, the use of
    the RemoteUserMiddleware middleware and the RemoteUserBackend
    authentication backend could result in one user receiving another
    user's session, if a change to the REMOTE_USER header occurred
    without corresponding logout/login actions.

    CVE-2014-0483

    Collin Anderson discovered that it is possible to reveal any field's
    data by modifying the "popup" and "to_field" parameters of the query
    string on an admin change form page. A user with access to the admin
    interface, and with sufficient knowledge of model structure and the
    appropriate URLs, could construct popup views which would display
    the values of non-relationship fields, including fields the
    application developer had not intended to expose in such a fashion.

    For the stable distribution (wheezy), these problems have been fixed in
    version 1.4.5-1+deb7u8.

    For the unstable distribution (sid), these problems have been fixed in
    version 1.6.6-1.

    We recommend that you upgrade your python-django packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJT961QAAoJEAVMuPMTQ89Ek1cP/j0scgKT8Sn1GFT5iIqwWxny 3vrKdRknxLE/F6t3dbCkSKCgv0syEfBQb+SjrjV/scUC8fibV9mgG8QnV/JLG80z 9OMhPaDBlyvwCal0S77x/OxDz1zL/nKxWBw4X4KRDZvpp127hQjfPqaJ9oIrClzy Cfuz8vKuVevIMzodcxvWu3th3SrWGw7/g5Tn3hioSY3iWyseL1PgcfihL9udnSWx rFoch/vZU3nQNvo8b2p+J5KUc3ScULzRlEzRiFTrKCfPNasmVa6Me82cPBD1aFP8 uNjLoEmGgG/6ASDbTZhYjCR5bI7sP1zTyEHMpwzE/hKxCLALXcKQe11IdrnkUVHc r1LLYs+n8Iu9/z9DewIxwu0gM7csWeN3kWfsb4iyFJ7Ne2XvRKu/Z2d2fXk7Avn/ QZ+zQndkNE2JxKGSTLbH5hd6TwrbcNGvL34kesNGdIW6MDfQcQWCN32x0Yv+Wo9t MGNT0bueeKZHLSysdXeYK0OJCT7Xu4OOpckgg2JOmVleNnY48dh3rpT0cNCW7FXf kp3JR1ue8trsCN/eVSrtuHfpWvGu7kdKJUtQFb1Vm6TVoMgF+yqdclsGA9rbcwl4 DyPR0X+IKdjd6jAgvRmJgARHtp407a9nuTVoeG0dMUqB4GcTEpzLmiQnMeotanb8 TVdUNBobncNRo2ERBo/d
    =QCy+
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)