lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 29 Oct 2011 07:50:53 +0200 (CEST)
From: Thijs Kinkhorst <thijs@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2332-1] python-django security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2332-1                   security@...ian.org
http://www.debian.org/security/                           Thijs Kinkhorst
October 29, 2011                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
Vulnerability  : several issues
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 
                 CVE-2011-4140 
Debian Bug     : 641405

Paul McMillan, Mozilla and the Django core team discovered several
vulnerabilities in Django, a Python web framework:

CVE-2011-4136

  When using memory-based sessions and caching, Django sessions are
  stored directly in the root namespace of the cache. When user data is
  stored in the same cache, a remote user may take over a session.

CVE-2011-4137, CVE-2011-4138

  Django's field type URLfield by default checks supplied URL's by
  issuing a request to it, which doesn't time out. A Denial of Service
  is possible by supplying specially prepared URL's that keep the
  connection open indefinately or fill the Django's server memory.

CVE-2011-4139

  Django used X-Forwarded-Host headers to construct full URL's. This
  header may not contain trusted input and could be used to poison the
  cache.

CVE-2011-4140

  The CSRF protection mechanism in Django does not properly handle
  web-server configurations supporting arbitrary HTTP Host headers,
  which allows remote attackers to trigger unauthenticated forged
  requests.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.3-3+squeeze2.

For the testing (wheezy) and unstable distribution (sid), this problem
has been fixed in version 1.3.1-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJOq5QOAAoJEOxfUAG2iX573FoH/3Ld4NEmMPQlRW9JmB3AAdsU
BjvYcbABkPRbQRJeIN9VAEF5+O0qxNjl7FjEfDXAjJ3iunxje4saddw2D/JLmH6J
I5Qmj2hKOXrnOnG6rPJHZDhc33023fVBCLqOekOIfukkDz7ShWwKglmzTHbzhJLr
cibWsHZc+7l583d3Q8pPR5CfVmFUGq9d+SO0E3Tp+r5iBOhT7KlHt+txTQ9Ir3UQ
u2cIo3LjEsyVjcsYTnfLSUANYnMLZqdROm/2GkSJlvrJFY2yac9T9eWAqLM4TrX3
eGjbNSWu6Zknd0o3VBlPuqVTxBDz3Wje0k9Rg7XcO/54+stIKo1VTTZ+3+No0bU=
=xhY3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists