Operating System:

[Win][UNIX/Linux][Debian]

Published:

15 August 2012

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2012.0775 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0775
                       python-django security update
                              15 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
                   Denial of Service    -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-3444 CVE-2012-3443 CVE-2012-3442

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2529

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running python-django check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2529-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
August 14, 2012                        http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : python-django
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
Debian Bug     : 683364

Jeroen Dekkers and others reported several vulnerabilities in Django,
a Python Web framework. The Common Vulnerabilities and Exposures
project defines the following issues:

CVE-2012-3442

    Two functions do not validate the scheme of a redirect target,
    which might allow remote attackers to conduct cross-site scripting
    (XSS) attacks via a data: URL.

CVE-2012-3443

    The ImageField class completely decompresses image data during image
    validation, which allows remote attackers to cause a denial of service
    (memory consumption) by uploading an image file.

CVE-2012-3444

    The get_image_dimensions function in the image-handling functionality
    uses a constant chunk size in all attempts to determine dimensions,
    which allows remote attackers to cause a denial of service (process
    or thread consumption) via a large TIFF image.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.3-3+squeeze3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.1-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQKq3KAAoJEFb2GnlAHawE8hMIAKNQuSMjICwTzposnEnW7zVm
I5gDaLDI8Yu3xGrnqnI8n0uPug2NpjyIVMb408oupfSsaBKmnYkYJgVgy3VpRu1Z
L8a45HdjOkDZEgDTYJIUM/jMp0coRcHj8oLLxYczl9ImTXqJC/OlSb51iqrspiZf
aFaG1Ct2TLZb+Lp3IEv6JJMhknRsGSqS1Tk9ewvnueuxgkw+prWtpWM6PclzmZxu
0INZlMQ9jIYBS5BKzfi47taaKcrEZ1xiBBupPwFjghJEZDMcRLTFCvptzMgIDfle
Eu31UGxkbrqkLpVUBY8wgmvlrQGhW05nkQKmojfvf6EU/95SAEC8TkbndWSt5i0=
=Nscn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUCso/u4yVqjM2NGpAQLpSA//ezLsfVl1ohnh8KtjvwLddM+JIgw2GrtD
ibgF/9hDA4javLHBFv8p8LXQ6zOyB6zLEfCpiFOFMlNogB3Y9ExPTJSH+oeGOrdI
2BcQtXi4TM9z9V2bXdDmUO6NyvSWQoZsFNbQzQY5EphN+2oJ0OifVRix41cuVubi
ZbPpbVf2IntyXkM+scb71HzGUuEi8Ys4eyq5JJ0avHLtEMoIv/mDJhtsRrHRdj7Q
xUBmVNE7utH5SOShhaXaug1rove9V7ljwp+ROTUrlTPQhi81GcdZ6DfLoSXK9y2d
OB00vSZt9Uadp6T9CWbBmJ93eYWSZ0CT/wTOsCYbC8fnUXkrgn1tDg9Ewd9K6hru
z4bBrw/uq0tELTiWQAg3OzDUzsQpJUxlxo49XzWllN/9Vo5JaUSbyy79IXX7OGDu
cCf+U9UaFXocPQfNsJBYtyE4MS2F6SDxP5a8f9Tn5qxBx+06q7ZQGOTCvU18R9Lq
0JfmMLhipjaH4CTXoPZbcx2dxX5CsNRpAvY5NypSYJmannhlm918KJDtLJ/Htu0i
FK34l6u2ZridsHvdtEymR04mwbR83ZNdqhVefJqO3Ll9Q0zbIkOOLjb9rVkGghRb
M1W+pue63vuufaY9hThCrnvjv1fsjF5D+jeCSq3V12pcH+gq4n3XFCXXK18i0Rnz
8iG1Vph9ncY=
=Yegz
-----END PGP SIGNATURE-----