[Bug 1130445] [NEW] Security releases issued - Django 1.3.6, Django 1.4.4

[Chris Johnston]

*** This bug is a security vulnerability ***

Public security bug reported:

Here's a brief summary of each issue and its resolution:

Issue: Host header poisoning: an attacker could cause Django to generate
and display URLs that link to arbitrary domains. This could be used as
part of a phishing attack. These releases fix this problem by
introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of
domains your site is known to respond to.

Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow
all hosts. This means that to actually fix the security vulnerability
you should define this setting yourself immediately after upgrading.

Issue: Formset denial-of-service: an attacker can abuse Django's
tracking of the number of forms in a formset to cause a denial-of-
service attack. This has been fixed by adding a default maximum number
of forms of 1,000. You can still manually specify a bigger max_num, if
you wish, but 1,000 should be enough for anyone.

Issue: XML denial of service attacks: Django's serialization framework
was vulnerable to denial of service attacks via XML entity expansion and
external references; this is now fixed. However, if you're parsing
arbitrary XML in other parts of your application, we recommend you look
into the defusedxml Python packages which remedy this anywhere you parse
XML, not just via Django's serialization framework.

Issue: Data leakage via admin history log: Django's admin interface
could expose supposedly-hidden information via its history log. This has
been fixed.


https://www.djangoproject.com/weblog/2013/feb/19/security/

** Affects: python-django (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1130445

Title:
  Security releases issued - Django 1.3.6, Django 1.4.4

Status in “python-django” package in Ubuntu:
  New

Bug description:
  Here's a brief summary of each issue and its resolution:

  Issue: Host header poisoning: an attacker could cause Django to
  generate and display URLs that link to arbitrary domains. This could
  be used as part of a phishing attack. These releases fix this problem
  by introducing a new setting, ALLOWED_HOSTS, which specifies a
  whitelist of domains your site is known to respond to.

  Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
  allow all hosts. This means that to actually fix the security
  vulnerability you should define this setting yourself immediately
  after upgrading.

  Issue: Formset denial-of-service: an attacker can abuse Django's
  tracking of the number of forms in a formset to cause a denial-of-
  service attack. This has been fixed by adding a default maximum number
  of forms of 1,000. You can still manually specify a bigger max_num, if
  you wish, but 1,000 should be enough for anyone.

  Issue: XML denial of service attacks: Django's serialization framework
  was vulnerable to denial of service attacks via XML entity expansion
  and external references; this is now fixed. However, if you're parsing
  arbitrary XML in other parts of your application, we recommend you
  look into the defusedxml Python packages which remedy this anywhere
  you parse XML, not just via Django's serialization framework.

  Issue: Data leakage via admin history log: Django's admin interface
  could expose supposedly-hidden information via its history log. This
  has been fixed.

  
  https://www.djangoproject.com/weblog/2013/feb/19/security/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1130445/+subscriptions