Debian: DSA-3010-1 Critical: Python-Django Phishing And DoS
debian
August 22, 2014
Several vulnerabilities were discovered in Django, a high-level Python web development framework
Summary
CVE-2014-0480
Florian Apolloner discovered that in certain situations, URL
reversing could generate scheme-relative URLs which could
unexpectedly redirect a user to a different host, leading to
phishing attacks.
CVE-2014-0481
David Wilson reported a file upload denial of service vulnerability.
Django's file upload handling in its default configuration may
degrade to producing a huge number of `os.stat()` system calls when
a duplicate filename is uploaded. A remote attacker with the ability
to upload files can cause poor performance in the upload handler,
eventually causing it to become very slow.
CVE-2014-0482
David Greisen discovered that under some circumstances, the use of
the RemoteUserMiddleware middleware and the RemoteUserBackend
authentication backend could result in one user receiving another
user's session, if a change to the REMOTE_USER header occurred
without corresponding logout/login actions.
CVE-2014-0483
Collin Anderson di...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python-django
CVE ID: CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!