Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1439 python-django security update 25 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-0483 CVE-2014-0482 CVE-2014-0481 CVE-2014-0480 Original Bulletin: http://www.debian.org/security/2014/dsa-3010 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running python-django check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3010-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 22, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0480 Florian Apolloner discovered that in certain situations, URL reversing could generate scheme-relative URLs which could unexpectedly redirect a user to a different host, leading to phishing attacks. CVE-2014-0481 David Wilson reported a file upload denial of service vulnerability. Django's file upload handling in its default configuration may degrade to producing a huge number of `os.stat()` system calls when a duplicate filename is uploaded. A remote attacker with the ability to upload files can cause poor performance in the upload handler, eventually causing it to become very slow. CVE-2014-0482 David Greisen discovered that under some circumstances, the use of the RemoteUserMiddleware middleware and the RemoteUserBackend authentication backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions. CVE-2014-0483 Collin Anderson discovered that it is possible to reveal any field's data by modifying the "popup" and "to_field" parameters of the query string on an admin change form page. A user with access to the admin interface, and with sufficient knowledge of model structure and the appropriate URLs, could construct popup views which would display the values of non-relationship fields, including fields the application developer had not intended to expose in such a fashion. For the stable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u8. For the unstable distribution (sid), these problems have been fixed in version 1.6.6-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT961QAAoJEAVMuPMTQ89Ek1cP/j0scgKT8Sn1GFT5iIqwWxny 3vrKdRknxLE/F6t3dbCkSKCgv0syEfBQb+SjrjV/scUC8fibV9mgG8QnV/JLG80z 9OMhPaDBlyvwCal0S77x/OxDz1zL/nKxWBw4X4KRDZvpp127hQjfPqaJ9oIrClzy Cfuz8vKuVevIMzodcxvWu3th3SrWGw7/g5Tn3hioSY3iWyseL1PgcfihL9udnSWx rFoch/vZU3nQNvo8b2p+J5KUc3ScULzRlEzRiFTrKCfPNasmVa6Me82cPBD1aFP8 uNjLoEmGgG/6ASDbTZhYjCR5bI7sP1zTyEHMpwzE/hKxCLALXcKQe11IdrnkUVHc r1LLYs+n8Iu9/z9DewIxwu0gM7csWeN3kWfsb4iyFJ7Ne2XvRKu/Z2d2fXk7Avn/ QZ+zQndkNE2JxKGSTLbH5hd6TwrbcNGvL34kesNGdIW6MDfQcQWCN32x0Yv+Wo9t MGNT0bueeKZHLSysdXeYK0OJCT7Xu4OOpckgg2JOmVleNnY48dh3rpT0cNCW7FXf kp3JR1ue8trsCN/eVSrtuHfpWvGu7kdKJUtQFb1Vm6TVoMgF+yqdclsGA9rbcwl4 DyPR0X+IKdjd6jAgvRmJgARHtp407a9nuTVoeG0dMUqB4GcTEpzLmiQnMeotanb8 TVdUNBobncNRo2ERBo/d =QCy+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU/qPxRLndAQH1ShLAQKGYg/+OiokRUrlsuk2LdY4levjfC26UsacZi8x XwafYAt6U2iGbA5RC6mSd8yI8L+mnLrneROl7IiUuZQlgKNxzemMSS+zcsZ061LD As6E3BDzGdk1LUGDLftnwmMN5iXmUmldpDkBX/H2aUSRtE+Izu4/rGHejRV734+D ZY+VHxrL9qVTD2nyzWeEunurdOX8mI6vPkVwpOgz4PO/4E9vikMhA1hfPNhZBUvq gbNwr+WUsDGXLX8tSXLIq1MbLTrrPPr6nq6/1WnyNJP3xysNcaCgMm6evgRwDVuk POa0juEfvUf07RW/A0Qc7lGH2OcYNeX5HMrx/P3SO7ozehXprsuuVV3U6mMLBcIT fCX4t8Orwd2+JazSNN+gW7MSLbTs8dlKqmsj1lnN24TN6L7kOYV5OQ5vvx/lp8ZP OHVroo5rfmbK7Dcz7ILdkxfEn33isX8K84tjX7nF3GaPkhHkaE6A3f1dMIN51Ssl YktFImrXLtBtXmkPb3j22dPJHZpNuya2taT74VsChP5wsFgYXZalD/p3zL7jw8eZ kbNMFs5RwsJZORB5+ivZDNdmzOSnTMOxpHDmphZEaOHbxFWZM2PKQPKI6l34C3rP JUHgawFTJvfv205eyoH8PAfQDeGBz2o7w34ia+6Ia6beXR8JDwwKs5qoqy/eSbth 3mQwooOp9cA= =38T/ -----END PGP SIGNATURE-----