LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1297-1 (python-django)



From:
    	      Jamie Strandboge <jamie@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1297-1] Django vulnerabilities 


Date:
    	      Thu, 08 Dec 2011 21:31:54 -0600


Message-ID:
    	      <1323401514.5844.2.camel@localhost>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1297-1
December 09, 2011

python-django vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Applications using Django could be made to crash or expose sensitive
information.

Software Description:
- python-django: High-level Python web development framework

Details:

Pall McMillan discovered that Django used the root namespace when storing
cached session data. A remote attacker could exploit this to modify
sessions. (CVE-2011-4136)

Paul McMillan discovered that Django would not timeout on arbitrary URLs
when the application used URLFields. This could be exploited by a remote
attacker to cause a denial of service via resource exhaustion.
(CVE-2011-4137)

Paul McMillan discovered that while Django would check the validity of a
URL via a HEAD request, it would instead use a GET request for the target
of a redirect. This could potentially be used to trigger arbitrary GET
requests via a crafted Location header. (CVE-2011-4138)

It was discovered that Django would sometimes use a request's HTTP Host
header to construct a full URL. A remote attacker could exploit this to
conduct host header cache poisoning attacks via a crafted request.
(CVE-2011-4139)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
  python-django                   1.3-2ubuntu1.1

Ubuntu 11.04:
  python-django                   1.2.5-1ubuntu1.1

Ubuntu 10.10:
  python-django                   1.2.3-1ubuntu0.2.10.10.3

Ubuntu 10.04 LTS:
  python-django                   1.1.1-2ubuntu1.4

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1297-1
  CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139

Package Information:
  https://launchpad.net/ubuntu/+source/python-django/1.3-2u...
  https://launchpad.net/ubuntu/+source/python-django/1.2.5-...
  https://launchpad.net/ubuntu/+source/python-django/1.2.3-...
  https://launchpad.net/ubuntu/+source/python-django/1.1.1-...


-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds