Debian: DSA-2332-1: python-django security update

    Date29 Oct 2011
    CategoryDebian
    24
    Posted ByLinuxSecurity Advisories
    Paul McMillan, Mozilla and the Django core team discovered several vulnerabilities in Django, a Python web framework: CVE-2011-4136
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2332-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Thijs Kinkhorst
    October 29, 2011                       http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : python-django
    Vulnerability  : several issues
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 
                     CVE-2011-4140 
    Debian Bug     : 641405
    
    Paul McMillan, Mozilla and the Django core team discovered several
    vulnerabilities in Django, a Python web framework:
    
    CVE-2011-4136
    
      When using memory-based sessions and caching, Django sessions are
      stored directly in the root namespace of the cache. When user data is
      stored in the same cache, a remote user may take over a session.
    
    CVE-2011-4137, CVE-2011-4138
    
      Django's field type URLfield by default checks supplied URL's by
      issuing a request to it, which doesn't time out. A Denial of Service
      is possible by supplying specially prepared URL's that keep the
      connection open indefinately or fill the Django's server memory.
    
    CVE-2011-4139
    
      Django used X-Forwarded-Host headers to construct full URL's. This
      header may not contain trusted input and could be used to poison the
      cache.
    
    CVE-2011-4140
    
      The CSRF protection mechanism in Django does not properly handle
      web-server configurations supporting arbitrary HTTP Host headers,
      which allows remote attackers to trigger unauthenticated forged
      requests.
    
    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.0.2-1+lenny3.
    
    For the stable distribution (squeeze), this problem has been fixed in
    version 1.2.3-3+squeeze2.
    
    For the testing (wheezy) and unstable distribution (sid), this problem
    has been fixed in version 1.3.1-1.
    
    We recommend that you upgrade your python-django packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"4","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":14.29,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.