Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Django
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Django
ID: USN-1297-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Fr, 9. Dezember 2011, 08:18
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4139
Applikationen: Django

Originalnachricht


--===============4112862195285858333==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-WMsD2gOkZBSJ8iQJ8+8k"


--=-WMsD2gOkZBSJ8iQJ8+8k
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1297-1
December 09, 2011

python-django vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Applications using Django could be made to crash or expose sensitive
information.

Software Description:
- python-django: High-level Python web development framework

Details:

Pall McMillan discovered that Django used the root namespace when storing
cached session data. A remote attacker could exploit this to modify
sessions. (CVE-2011-4136)

Paul McMillan discovered that Django would not timeout on arbitrary URLs
when the application used URLFields. This could be exploited by a remote
attacker to cause a denial of service via resource exhaustion.
(CVE-2011-4137)

Paul McMillan discovered that while Django would check the validity of a
URL via a HEAD request, it would instead use a GET request for the target
of a redirect. This could potentially be used to trigger arbitrary GET
requests via a crafted Location header. (CVE-2011-4138)

It was discovered that Django would sometimes use a request's HTTP Host
header to construct a full URL. A remote attacker could exploit this to
conduct host header cache poisoning attacks via a crafted request.
(CVE-2011-4139)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
python-django 1.3-2ubuntu1.1

Ubuntu 11.04:
python-django 1.2.5-1ubuntu1.1

Ubuntu 10.10:
python-django 1.2.3-1ubuntu0.2.10.10.3

Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.4

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1297-1
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139

Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.3-2ubuntu1.1
https://launchpad.net/ubuntu/+source/python-django/1.2.5-1ubuntu1.1
https://launchpad.net/ubuntu/+source/python-django/1.2.3-1ubuntu0.2.10.10.3
https://launchpad.net/ubuntu/+source/python-django/1.1.1-2ubuntu1.4



--ÐMsD2gOkZBSJ8iQJ8+8k
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJO4YEqAAoJEFHb3FjMVZVzpR0QALcuqQ93OFDNU1eT4grTvGu2
awnERowlCLAg69oxdtv16FyvefY5FT0jCXwZR4ZT10XqQat5Arobp8GqchJDOuRm
rGgor/Z4QfkHhECbyUETviNNhtva30zMiqXhCo3NZHbeMwfoBwXUQtyrVL6r/d3l
Z9Slb7zBypPJH8WpqQA9fTK0pLmXlXeiEkh67GrURfUG5yuKz04kB09pmEMIe+qZ
FMiRx/IyMoXKnCmSWu3cgEL1rzzBt48c4uPrhPfVgYUYE4liUU7+ipt6XQ51iFGO
4jhbNb4qZrPJKD+xQuWv5ryMNbzkMYYLqdKtFlSCOhMPDIkjSUXCJWEifnw0ixtG
pKjC7/I+h2LFtmVkLaGjV+hYQS2DaZfcXxQDsrKgNeDBZkxr5GhO9OXxTZVWndZE
Gqkv9pwc5OVOsTHJcaCSnsTpIbByPndfOeIDyBcI1zES1OS3ctFozC/vt4F6wqig
g8Vr9ezyLug//5zJheSE4ud7G398Q1L2F0oa7Gbbk7lBh28WkiejCJQy/ZZz3yHw
1FxCkKMHh2hlnlk1OLcXCCN/qnA9c/MZkwh2iyGqiT5KY3M0Rv0yOEMZIOglAiMF
3cE9FQjMVjIGHyCZzI0ppUoufLO2p4Ww20jsEzUT59d00EAsgaCUAGINPW1ZwXv0
TkOgasRMzKTtRX65X2Qh
=D8G2
-----END PGP SIGNATURE-----

--=-WMsD2gOkZBSJ8iQJ8+8k--



--===============4112862195285858333==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============4112862195285858333==--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung