[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WuKAm-0002Dq-S3@titan.mandriva.com>
Date: Tue, 10 Jun 2014 13:25:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:113 ] python-django
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:113
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : python-django
Date : June 10, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in
python-django:
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7
before 1.7b4 does not properly include the (1) Vary: Cookie or (2)
Cache-Control header in responses, which allows remote attackers to
obtain sensitive information or poison the cache via a request from
certain browsers (CVE-2014-1418).
The django.util.http.is_safe_url function in Django 1.4 before
1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4
does not properly validate URLs, which allows remote attackers to
conduct open redirect attacks via a malformed URL, as demonstrated
by http:\djangoproject.com. (CVE-2014-3730).
The django.core.urlresolvers.reverse function in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 allows remote attackers to import and execute arbitrary Python
modules by leveraging a view that constructs URLs using user input
and a dotted Python path. (CVE-2014-0472).
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6,
1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached
CSRF token for all anonymous users, which allows remote attackers to
bypass CSRF protections by reading the CSRF cookie for anonymous users
(CVE-2014-0473).
The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 do not properly perform type conversion, which allows remote
attackers to have unspecified impact and vectors, related to MySQL
typecasting. (CVE-2014-0474).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
b5c81c5dc930dd057bc84ab4c2c5e1ae mbs1/x86_64/python-django-1.3.7-1.4.mbs1.noarch.rpm
35585be4a7eaf1729895747c1669492f mbs1/SRPMS/python-django-1.3.7-1.4.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTlsDTmqjQ0CJFipgRAo5aAJwNpNvxeEZvRp6KJWW6aT+WncwkFwCgmNDC
oDR4UsWPzZRj7IuDtJOeG1A=
=iHJ3
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists