User: Password:
|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0231 (python-django)

From:  Mageia Updates <buildsystem-daemon@mageia.org>
To:  updates-announce@ml.mageia.org
Subject:  [updates-announce] MGASA-2014-0231: Updated python-django package fix two vulnerabilities
Date:  Mon, 19 May 2014 20:53:43 +0200
Message-ID:  <20140519185343.646675CD6F@valstar.mageia.org>

MGASA-2014-0231 - Updated python-django package fix two vulnerabilities Publication date: 19 May 2014 URL: http://advisories.mageia.org/MGASA-2014-0231.html Type: security Affected Mageia releases: 3, 4 CVE: CVE-2014-1418, CVE-2014-3730 Description: Updated python-django and python-dgango14 packages fix security vulnerabilities: Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7 (CVE-2014-1418). Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. An attacker may use this to cause unexpected redirects (CVE-2014-3730). References: - https://www.djangoproject.com/weblog/2014/may/14/security... - http://www.ubuntu.com/usn/usn-2212-1/ - https://bugs.mageia.org/show_bug.cgi?id=13384 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730 SRPMS: - 4/core/python-django-1.5.8-1.mga4 - 4/core/python-django14-1.4.13-1.mga4 - 3/core/python-django-1.4.13-1.mga3


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds