lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 06 Jan 2011 20:28:57 -0600
From: Jamie Strandboge <>
	full-disclosure <>
Subject: [USN-1040-1] Django vulnerabilities

Ubuntu Security Notice USN-1040-1          January 07, 2011
python-django vulnerabilities
CVE-2010-4534, CVE-2010-4535

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  python-django                   1.1.1-1ubuntu1.1

Ubuntu 10.04 LTS:
  python-django                   1.1.1-2ubuntu1.2

Ubuntu 10.10:
  python-django                   1.2.3-1ubuntu0.

In general, a standard system update will make all the necessary changes.

Details follow:

Adam Baldwin discovered that Django did not properly validate query string
lookups. This could be exploited to provide an information leak to an
attacker with admin privilieges. (CVE-2010-4534)

Paul McMillan discovered that Django did not validate the length of the
token used when generating a password reset. An attacker could exploit
this to cause a denial of service via resource exhaustion. (CVE-2010-4535)

Updated packages for Ubuntu 9.10:

  Source archives:
      Size/MD5:    20554 69008b0041f74d261d2dfd833f0cbc71
      Size/MD5:     2215 80222eacb212cce9d95bd988313f1f72
      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c

  Architecture independent packages:
      Size/MD5:  1528844 e46b0b9ab737be222c70d9e5c0445a31
      Size/MD5:  3869262 679a5d0e5668402d7d019e3a7c73d851

Updated packages for Ubuntu 10.04 LTS:

  Source archives:
      Size/MD5:    43848 69baf8e98b78de3762e12023f71d0704
      Size/MD5:     2215 d18df1b93b0953664165c15870852145
      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c

  Architecture independent packages:
      Size/MD5:  1538222 f962bfdfb7feb43460d2a7124190c4e6
      Size/MD5:  3881736 455508583d9a7aea7f7555ad376824f5

Updated packages for Ubuntu 10.10:

  Source archives:
      Size/MD5:    21609 391d97abadfcdfcc723b47073359f885
      Size/MD5:     2281 336e74a9d11c13359b9470dec5c4b89f
      Size/MD5:  6306760 10bfb5831bcb4d3b1e6298d0e41d6603

  Architecture independent packages:
      Size/MD5:  1906098 5a1417117c2a2825d93bded7ca785824
      Size/MD5:  4213194 6cd0e133466c7b624a99c74c3dc56e3c

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists