| |||||||||||||||||||
Mageia alert MGASA-2012-0219 (python-django)
MGASA-2012-0219 Date: August 18th, 2012 Affected releases: 1, 2 Description: Updated python-django package fixes security vulnerabilities: The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL (CVE-2012-3442). The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file (CVE-2012-3443). The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image (CVE-2012-3444). Updated Packages: Mageia 1: python-django-1.3.3-1.mga1 Mageia 2: python-django-1.3.3-2.mga2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3444 http://lists.opensuse.org/opensuse-updates/2012-08/msg000... https://bugs.mageia.org/show_bug.cgi?id=6986 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-... (Log in to post comments)
|
|||||||||||||||||||