[Bug 1130445] Re: Security releases issued - Django 1.3.6, Django 1.4.4
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Feb 22 15:48:42 UTC 2013
** Also affects: python-django (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: python-django (Ubuntu Oneiric)
Importance: Undecided
Status: New
** Also affects: python-django (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: python-django (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: python-django (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: python-django (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: python-django (Ubuntu Oneiric)
Status: New => Confirmed
** Changed in: python-django (Ubuntu Precise)
Status: New => Confirmed
** Changed in: python-django (Ubuntu Quantal)
Status: New => Confirmed
** Changed in: python-django (Ubuntu Raring)
Status: New => Confirmed
** Changed in: python-django (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: python-django (Ubuntu Oneiric)
Importance: Undecided => Medium
** Changed in: python-django (Ubuntu Quantal)
Importance: Undecided => Medium
** Changed in: python-django (Ubuntu Raring)
Importance: Undecided => Medium
** Changed in: python-django (Ubuntu Precise)
Importance: Undecided => Medium
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0305
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0306
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1665
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1130445
Title:
Security releases issued - Django 1.3.6, Django 1.4.4
Status in “python-django” package in Ubuntu:
Confirmed
Status in “python-django” source package in Lucid:
Confirmed
Status in “python-django” source package in Oneiric:
Confirmed
Status in “python-django” source package in Precise:
Confirmed
Status in “python-django” source package in Quantal:
Confirmed
Status in “python-django” source package in Raring:
Confirmed
Bug description:
Here's a brief summary of each issue and its resolution:
Issue: Host header poisoning: an attacker could cause Django to
generate and display URLs that link to arbitrary domains. This could
be used as part of a phishing attack. These releases fix this problem
by introducing a new setting, ALLOWED_HOSTS, which specifies a
whitelist of domains your site is known to respond to.
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
allow all hosts. This means that to actually fix the security
vulnerability you should define this setting yourself immediately
after upgrading.
Issue: Formset denial-of-service: an attacker can abuse Django's
tracking of the number of forms in a formset to cause a denial-of-
service attack. This has been fixed by adding a default maximum number
of forms of 1,000. You can still manually specify a bigger max_num, if
you wish, but 1,000 should be enough for anyone.
Issue: XML denial of service attacks: Django's serialization framework
was vulnerable to denial of service attacks via XML entity expansion
and external references; this is now fixed. However, if you're parsing
arbitrary XML in other parts of your application, we recommend you
look into the defusedxml Python packages which remedy this anywhere
you parse XML, not just via Django's serialization framework.
Issue: Data leakage via admin history log: Django's admin interface
could expose supposedly-hidden information via its history log. This
has been fixed.
https://www.djangoproject.com/weblog/2013/feb/19/security/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1130445/+subscriptions
More information about the foundations-bugs
mailing list