Sicherheit: Mehrere Probleme in Django

Lesezeichen hinzufügen

--===============7280206572010818154==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-T2MPndvTH2nlETLokcjF"

--=-T2MPndvTH2nlETLokcjF
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1560-1
September 10, 2012

python-django vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

Applications using Django could be made to crash or expose sensitive
information.

Software Description:
- python-django: High-level Python web development framework

Details:

It was discovered that Django incorrectly validated the scheme of a
redirect target. If a user were tricked into opening a specially crafted
URL, an attacker could possibly exploit this to conduct cross-site
scripting (XSS) attacks. (CVE-2012-3442)

It was discovered that Django incorrectly handled validating certain
images. A remote attacker could use this flaw to cause the server to
consume memory, leading to a denial of service. (CVE-2012-3443)

Jeroen Dekkers discovered that Django incorrectly handled certain image
dimensions. A remote attacker could use this flaw to cause the server to
consume resources, leading to a denial of service. (CVE-2012-3444)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.2

Ubuntu 11.10:
python-django 1.3-2ubuntu1.3

Ubuntu 11.04:
python-django 1.2.5-1ubuntu1.2

Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1560-1
CVE-2012-3442, CVE-2012-3443, CVE-2012-3444

Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.2
https://launchpad.net/ubuntu/+source/python-django/1.3-2ubuntu1.3
https://launchpad.net/ubuntu/+source/python-django/1.2.5-1ubuntu1.2
https://launchpad.net/ubuntu/+source/python-django/1.1.1-2ubuntu1.5

--Ý2MPndvTH2nlETLokcjF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJQTedQAAoJEGVp2FWnRL6TY7kP/15nhgOOVD5+J1qh6msQtRj/
zdhR7g/GFMqZ/r3tM4XChEAdC0r2S7QS3xKbf//duuopgKsJMnTAyp8yOGdJ7AsS
1ZsaDoOg0qaYZv3fqehCbq3pGy9rvVBgJ9KcsPZNM614uklR2Y2hX0kxezLGfT84
YqfcNvdgc7gh6ANlQRoxDcI0UUDG4qeHQFoOdPyNEFtc+wGyp7sHdy7jX4vB/8ez
ZPjB4VIgM/lqDzRNNZsBI2oyQ31CGfhFF04blfdaNt3kNNRdXqI4E36veT/hWXQO
z3ogLUewICtDk7zQru51adF5yG1FoQXLDRVrDrd1M54iedfmyu227iwcuqw/mHyQ
qq1JuJplgkZMmXbeENQI5ZelkmXZhIvZx6QPCiqtYJE9M6W40hpBkgluKO6QGVvg
0FZusLPBki63oBsMMXDzAS5BzhcGWQAHzy/BGzHOjKCIQANZ9p1cOaTfkPg56kOy
w+y+VjZtFmuU4nCOVVAlJmtrjZsgQDhVLUdg78Y/FQLktVoT9LUPcLQGpyxPENSJ
REr4vNMcEN11ZfehY3KY6/ORg9sRbDM7jaLQPylIm8LMHXfBmZuW5uW1O0D6C85v
/RoC2hEaEBA0p1ZptmJfCP0jS++luCnUyk5w5t2bU46V0uTyzQaTA6G6sQzsTwee
RFTLpdstMhWKfKM6GgwP
=CrCw
-----END PGP SIGNATURE-----

--=-T2MPndvTH2nlETLokcjF--

--===============7280206572010818154==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============7280206572010818154==--