Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0026 Multiple vulnerabilities have been identified in Django prior to releases 1.8.10 and 1.9.3 9 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Django Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2513 CVE-2016-2512 Member content until: Friday, April 8 2016 OVERVIEW Multiple vulnerabilities have been identified in Django prior to releases 1.8.10 and 1.9.3. [1] IMPACT Django has provided the following details regarding the vulnerabilities: "CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some URLs with basic authentication credentials "safe" when they shouldn't be. For example, a URL like http://mysite.example.com\@attacker.com would be considered safe if the request's host is http://mysite.example.com, but redirecting to this URL sends the user to attacker.com. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack." [1] "CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade In each major version of Django since 1.6, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has increased. This improves the security of the password as the speed of hardware increases, however, it also creates a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user (which runs the default hasher's default number of iterations since Django 1.6). This only affects users who haven't logged in since the iterations were increased. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference." [1] MITIGATION Django encourages all users to update to the latest release to fix thes issues. [1] REFERENCES [1] Django security releases issued: 1.9.3 and 1.8.10 https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVt+7G36ZAP0PgtI9AQIb3BAAl1ypH6wmULOCleUJsi2LOilwN3Mxj5ij JxL3F9rV4ym6JADzkskspicKW/ajKI4HcAmEMrWjbzNkOSCX/I4tfDSEcLMdWTsP 4TYxRW863Dz5Fv27DE2O2oHcUO7Mug+kb0PidWqiiPfwDXMD1OHVTc4xRSYCHqJm OHYaqqUPuUZNBc0BRmkZfddDw7xm1r8wU02YvhkGtjxAZec9Ihwq2qGnzcHlno8X /5OnhB6DQxe+rS5CHiyG8+qkrKJSdfdNeqHfgboyV/v72+05aknBAtDleslJm4Gv EH8cVVc6NN4zjryTLNCfsPd2IKaSo2OmvricyM1WIWWkANkuYW5zDB+LEw/7qB20 zAbrDYYniAgIJvSUzV4A+dj61gqUJnb7LGAzudHs4Jh7RaWmSvgSvCGgnIkgQ0pZ FSvDa5zr9EYbvHGff3xYJ2XqBvYwxdYMgjk4zJZ/mvRAe1Q5OCZjGRfwXkxizm9F 15yFYF4CxnF+iZscwdM/8NT14bjaIUGe3kaNmOi2vuT39opHZp/2m8T3yRiB6x+u 3rO2yAqAre7xa+YOwdgbOm0zmEwPyylZBMzZ9KtcyBZYc5ONe+mak/BYatOfzgaK degzo7DeH3I1ZKjy1pWerbUW1goaL9HVD11RcVH2uZ6UhwUkpp7aFWiptYPwbgDe 36//J4c4bCI= =UzIW -----END PGP SIGNATURE-----