LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Pardus alert 2011-45 (Django)



From:
    	      Meltem  <meltem@pardus.org.tr> 


To:
    	      pardus-security@pardus.org.tr 


Subject:
    	      [Pardus-security] [PLSA 2011-45] Django: Multiple Vulnerabilities 


Date:
    	      Mon, 14 Feb 2011 23:21:15 +0200


Message-ID:
    	      <201102142321.15161.meltem@pardus.org.tr>


Archive-link:
    	      Article, Thread
              


------------------------------------------------------------------------
Pardus Linux Security Advisory 2011-45            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2011-02-14
  Severity: 4
      Type: Remote
------------------------------------------------------------------------

Summary
=======

Multiple vulnerabilities have been fixed in Django. 


Description
===========

CVE-2010-4534: 

The administrative interface in django.contrib.admin in  Django  before 
1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly
restrict use of the query string to perform certain  object  filtering, 
which allows remote authenticated users to obtain sensitive information 
via a series of requests containing regular expressions, as demonstrated
by a created_by__password__regex parameter. 



CVE-2010-4535: 

The password reset functionality in django.contrib.auth in Django before
1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate
the length of a string representing a base36  timestamp,  which  allows 
remote attackers to cause a denial of service (resource consumption) via
a URL that specifies a large base36 integer. 



CVE-2011-0696: 

Django 1.1.x before 1.1.4 and 1.2.x  before  1.2.5  does  not  properly 
validate HTTP requests that contain an X-Requested-With  header,  which 
makes it easier for remote  attackers  to  conduct  cross-site  request 
forgery  (CSRF) attacks  via  forged  AJAX  requests  that  leverage  a 
"combination of browser plugins and  redirects,"  a  related  issue  to 
CVE-2011-0447. 



CVE-2011-0697: 

Cross-site scripting (XSS) vulnerability in Django 1.1.x  before  1.1.4 
and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary 
web script or HTML via a filename associated with a file upload. 









Affected packages:

  Pardus 2009:
    Django, all before 1.2.5-26-10


Resolution
==========

There are update(s) for Django. You can update them via Package Manager 
or with a single command from console: 

    pisi up Django

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=15796
  * http://bugs.pardus.org.tr/show_bug.cgi?id=16850
  * http://www.djangoproject.com/weblog/2010/dec/22/security/
  * http://www.djangoproject.com/weblog/2011/feb/08/security/

------------------------------------------------------------------------

_______________________________________________
Pardus-Security mailing list
Pardus-Security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds