Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0896 -- [UNIX/Linux][Debian] New python-django packages fix cross site request forgery 23 September 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux 4.0 UNIX variants (UNIX, Linux, OSX) Impact: Cross-site Request Forgery Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2008-3909 CVE-2007-5712 Original Bulletin: http://www.debian.org/security/2008/dsa-1640 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running Django check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1640-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst September 20, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : python-django Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-3909 CVE-2007-5712 Debian Bug : 497765 448838 Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. The is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909. In this update the affected feature is disabled; this is in accordance with upstream's preferred solution for this situation. This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisaton framework, known as CVE-2007-5712. For the stable distribution (etch), these problems have been fixed in version 0.95.1-1etch2. For the unstable distribution (sid), these problems have been fixed in version 1.0-1. We recommend that you upgrade your python-django package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.dsc Size/MD5 checksum: 940 62d31adf6a658ab089df66916148d2d8 http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1.orig.tar.gz Size/MD5 checksum: 1297839 07f09d8429916481e09e84fd01e97355 http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.diff.gz Size/MD5 checksum: 8069 6e5e17af4148911137b1a8aebaa8096c Architecture independent packages: http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2_all.deb Size/MD5 checksum: 1025742 93417b16a120eada12b807b8372cc858 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSNT1Q2z0hbPcukPfAQLGLQgAsA4MuOT8zyDNY/lR4ONjr+t1eJr583er u77Z3nn5zGn6DoOUEww7tRV04I2iMI+s2jAbFLcw8j3Q7U+AY3HXtJq0Tlk2Zyup OKAZdiCNIYMR4gulWrs0MQG0cWePLvK5hjSL2Hmol651p288vVQ1k/CknCVX8j0s L/l+fB1XhOCvF2Mk985iBT5ZVw9fpHHjiK+QVE3HEayGNHzEr9oTE/GEhIYv6SZ0 eIWzmNHVYmBuevMun7Hn31AqYe4WRAfza+AWryt8RnGCGOVLbRFJ2YO4zsNh+9Ps p0GLXWM4JKqferyzZgwsl2/1sb7PdtWWgWynQbOSG/7NxsG5SyHDmA== =1lGA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSNg6Vih9+71yA2DNAQIdlgQAm3reuZ9pdqsbu08bDrnH8e18hPA3qV7F Pk3volAd3Xilw6lo3I0bqN+5lwVeSi707aiafYljTV8RZf5d+mEK41nud19WILVh EAVL9Sc0T38f9TaYm3T1tTczrr1IFZXSUZYy3F4YE7ntfoteAJ7gx9ts27NMijaT ZWGkbFMMmBM= =YTuM -----END PGP SIGNATURE-----