Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 461
Alerts This Week
Warning Icon 1 461

Ubuntu 14.10 USN-2469-1 Moderate: Django Security Flaws

ubuntu
Calendar Grey January 13, 2015
Dist Ubuntu Esm H88
Key security vulnerabilities in Django have been fixed across various Ubuntu distributions. Refer to the official documentation for updates and detailed risk assessments
Several security issues were fixed in Django.

Summary

Several security issues were fixed in Django.

Software Description:

- python-django: High-level Python web development framework

Details:

Jedediah Smith discovered that Django incorrectly handled underscores in

WSGI headers. A remote attacker could possibly use this issue to spoof

headers in certain environments. (CVE-2015-0219)

Mikko Ohtamaa discovered that Django incorrectly handled user-supplied

redirect URLs. A remote attacker could possibly use this issue to perform a

cross-site scripting attack. (CVE-2015-0220)

Alex Gaynor discovered that Django incorrectly handled reading files in

django.views.static.serve(). A remote attacker could possibly use this

issue to cause Django to consume resources, resulting in a denial of

service. (CVE-2015-0221)

Keryn Knight discovered that Django incorrectly handled forms with

ModelMultipleChoiceField. A remote attacker could possibly use this issue

to cause a large number of SQL queries, resulting in a database de...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  python-django                   1.6.6-1ubuntu2.1
  python3-django                  1.6.6-1ubuntu2.1

Ubuntu 14.04 LTS:
  python-django                   1.6.1-2ubuntu0.6

Ubuntu 12.04 LTS:
  python-django                   1.3.1-4ubuntu1.13

Ubuntu 10.04 LTS:
  python-django                   1.1.1-2ubuntu1.14

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2469-1

CVE-2015-0219, CVE-2015-0220, CVE-2015-0221, CVE-2015-0222

January 13, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.