drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in Django
| Name: |
Zwei Probleme in Django |
|
| ID: |
USN-1066-1 |
|
| Distribution: |
Ubuntu |
|
| Plattformen: |
Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10 |
|
| Datum: |
Do, 17. Februar 2011, 21:58 |
|
| Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0697 |
|
| Applikationen: |
Django |
|
Originalnachricht |
--===============2042473183233322261==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-hb5E5EU+ni3CILzoYLck"
--=-hb5E5EU+ni3CILzoYLck
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable
===========================================================
Ubuntu Security Notice USN-1066-1 February 17, 2011
python-django vulnerabilities
CVE-2011-0696, CVE-2011-0697
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
python-django 1.1.1-1ubuntu1.2
Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.3
Ubuntu 10.10:
python-django 1.2.3-1ubuntu0.2.10.10.2
ATTENTION: This update introduces a small backwards-imcompatible change
to perform full CSRF validation on all requests. Prior to this update,
AJAX requests were excepted from CSRF protections. For more details, please
see http://docs.djangoproject.com/en/1.2/releases/1.2.5/.
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that Django did not properly validate HTTP requests that
contain an X-Requested-With header. An attacker could exploit this
vulnerability to perform cross-site request forgery (CSRF) attacks.
(CVE-2011-0696)
It was discovered that Django did not properly sanitize its input when
performing file uploads, resulting in cross-site scripting (XSS)
vulnerabilities. With cross-site scripting vulnerabilities, if a user were
tricked into viewing server output during a crafted server request, a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2011-0697)
Updated packages for Ubuntu 9.10:
Source archives:
python-django_1.1.1-1ubuntu1.2.diff.gz
Size/MD5: 23178 9ee3275d17444e0fe9f29b558a50d656
python-django_1.1.1-1ubuntu1.2.dsc
Size/MD5: 2215 9665d3d7efb78757cc7debdd8de52dee
python-django_1.1.1.orig.tar.gz
Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c
Architecture independent packages:
python-django-doc_1.1.1-1ubuntu1.2_all.deb
Size/MD5: 1538754 55ff7dfcdb230ee959fab143168fee3d
python-django_1.1.1-1ubuntu1.2_all.deb
Size/MD5: 3905196 27510c2c2b922666858a4e9153edf0bb
Updated packages for Ubuntu 10.04 LTS:
Source archives:
python-django_1.1.1-2ubuntu1.3.diff.gz
Size/MD5: 46514 cdf31c55963b3a900c532a56ad14ba54
python-django_1.1.1-2ubuntu1.3.dsc
Size/MD5: 2215 4de71582b629ed7c3fe5c3334e1d98aa
python-django_1.1.1.orig.tar.gz
Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c
Architecture independent packages:
python-django-doc_1.1.1-2ubuntu1.3_all.deb
Size/MD5: 1538984 ed92fc05b0b71d3adc04b67424198a90
python-django_1.1.1-2ubuntu1.3_all.deb
Size/MD5: 3882040 13e2019e1fa464992f8c68bbc52f4e36
Updated packages for Ubuntu 10.10:
Source archives:
python-django_1.2.3-1ubuntu0.2.10.10.2.debian.tar.gz
Size/MD5: 27750 df339fbad6cc5389fc4979ea9ef89455
python-django_1.2.3-1ubuntu0.2.10.10.2.dsc
Size/MD5: 2276 6dba452984483a7442de365e451f1fde
python-django_1.2.3.orig.tar.gz
Size/MD5: 6306760 10bfb5831bcb4d3b1e6298d0e41d6603
Architecture independent packages:
python-django-doc_1.2.3-1ubuntu0.2.10.10.2_all.deb
Size/MD5: 1895718 bb292031a0bf07b951aea19bf8648e84
python-django_1.2.3-1ubuntu0.2.10.10.2_all.deb
Size/MD5: 4176780 44a6a1e51fc90fd3054ef09a3a2294c8
--Ñb5E5EU+ni3CILzoYLck
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABCgAGBQJNXV6sAAoJEFHb3FjMVZVzOIMP/RSb0NZJq/+Yp0PELwerImbl
sTQOm/DSOfN1kSXsR2xQKlk8UFdftls7YKuYoh1++UgmPdm2XmUzhGuZtqXsJ4oV
ZljmWyEXkkHT+Kg4er723tLeWrpsmbV7+kxlKzzWufVA9NOU/rsYet1Y1U+324Z7
pTmRUn6hjq5k8qiyxgebsm9kExGGNkCIxTWCVAnCDqLaYvm7BrTrbKzN9/mAOM1z
tPjYSwnyeIoxs1Hk1Yb/ZCIP8x+ZBSNlZ0dB4yNylQbdSMu+7CDwgTowu9sz6fdh
ffYsVBfDldtdHmhYUiqVmCHffwkj+i3LGnHFpn09JwrOWFxt4IjcmLWZwc1eAf8H
tPWNaQLVF0vItv8t8Yg9jqNNgCrZeUovxGLyNljyj7uU+0xRbFG+DBpeiJnX1dpj
8PQVME37jqs8wmd6PNgY4aaFmtSfsq6woCTVN98jFxSm4mpxPQK7e1u3/F9c/kej
mNl+omfV0Pex0SymZwEOJyQ1l/DlrmcJnas3XbM+GdPzekhL9zCDDDxTTjAP2quH
F0afKi4TPShTo1I+uZFmva2b9LqJCIGg3NTy27mODfMoLnRhJhlEKOnUf1E9hgoz
oOZUWgC2TMCfFpQvm2XSeTg64HV0NqlmBeWDFNYF8uZHTufrguEcEKlmUFxXiCE3
tWE00tvddWXwixrHIgNT
=B3/7
-----END PGP SIGNATURE-----
--=-hb5E5EU+ni3CILzoYLck--
--===============2042473183233322261==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============2042473183233322261==--
|
|
|
|
