Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1439
python-django security update
25 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django
Publisher: Debian
Operating System: Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0483 CVE-2014-0482 CVE-2014-0481
CVE-2014-0480
Original Bulletin:
http://www.debian.org/security/2014/dsa-3010
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running python-django check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3010-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
August 22, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : python-django
CVE ID : CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483
Several vulnerabilities were discovered in Django, a high-level Python
web development framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2014-0480
Florian Apolloner discovered that in certain situations, URL
reversing could generate scheme-relative URLs which could
unexpectedly redirect a user to a different host, leading to
phishing attacks.
CVE-2014-0481
David Wilson reported a file upload denial of service vulnerability.
Django's file upload handling in its default configuration may
degrade to producing a huge number of `os.stat()` system calls when
a duplicate filename is uploaded. A remote attacker with the ability
to upload files can cause poor performance in the upload handler,
eventually causing it to become very slow.
CVE-2014-0482
David Greisen discovered that under some circumstances, the use of
the RemoteUserMiddleware middleware and the RemoteUserBackend
authentication backend could result in one user receiving another
user's session, if a change to the REMOTE_USER header occurred
without corresponding logout/login actions.
CVE-2014-0483
Collin Anderson discovered that it is possible to reveal any field's
data by modifying the "popup" and "to_field" parameters of the query
string on an admin change form page. A user with access to the admin
interface, and with sufficient knowledge of model structure and the
appropriate URLs, could construct popup views which would display
the values of non-relationship fields, including fields the
application developer had not intended to expose in such a fashion.
For the stable distribution (wheezy), these problems have been fixed in
version 1.4.5-1+deb7u8.
For the unstable distribution (sid), these problems have been fixed in
version 1.6.6-1.
We recommend that you upgrade your python-django packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT961QAAoJEAVMuPMTQ89Ek1cP/j0scgKT8Sn1GFT5iIqwWxny
3vrKdRknxLE/F6t3dbCkSKCgv0syEfBQb+SjrjV/scUC8fibV9mgG8QnV/JLG80z
9OMhPaDBlyvwCal0S77x/OxDz1zL/nKxWBw4X4KRDZvpp127hQjfPqaJ9oIrClzy
Cfuz8vKuVevIMzodcxvWu3th3SrWGw7/g5Tn3hioSY3iWyseL1PgcfihL9udnSWx
rFoch/vZU3nQNvo8b2p+J5KUc3ScULzRlEzRiFTrKCfPNasmVa6Me82cPBD1aFP8
uNjLoEmGgG/6ASDbTZhYjCR5bI7sP1zTyEHMpwzE/hKxCLALXcKQe11IdrnkUVHc
r1LLYs+n8Iu9/z9DewIxwu0gM7csWeN3kWfsb4iyFJ7Ne2XvRKu/Z2d2fXk7Avn/
QZ+zQndkNE2JxKGSTLbH5hd6TwrbcNGvL34kesNGdIW6MDfQcQWCN32x0Yv+Wo9t
MGNT0bueeKZHLSysdXeYK0OJCT7Xu4OOpckgg2JOmVleNnY48dh3rpT0cNCW7FXf
kp3JR1ue8trsCN/eVSrtuHfpWvGu7kdKJUtQFb1Vm6TVoMgF+yqdclsGA9rbcwl4
DyPR0X+IKdjd6jAgvRmJgARHtp407a9nuTVoeG0dMUqB4GcTEpzLmiQnMeotanb8
TVdUNBobncNRo2ERBo/d
=QCy+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU/qPxRLndAQH1ShLAQKGYg/+OiokRUrlsuk2LdY4levjfC26UsacZi8x
XwafYAt6U2iGbA5RC6mSd8yI8L+mnLrneROl7IiUuZQlgKNxzemMSS+zcsZ061LD
As6E3BDzGdk1LUGDLftnwmMN5iXmUmldpDkBX/H2aUSRtE+Izu4/rGHejRV734+D
ZY+VHxrL9qVTD2nyzWeEunurdOX8mI6vPkVwpOgz4PO/4E9vikMhA1hfPNhZBUvq
gbNwr+WUsDGXLX8tSXLIq1MbLTrrPPr6nq6/1WnyNJP3xysNcaCgMm6evgRwDVuk
POa0juEfvUf07RW/A0Qc7lGH2OcYNeX5HMrx/P3SO7ozehXprsuuVV3U6mMLBcIT
fCX4t8Orwd2+JazSNN+gW7MSLbTs8dlKqmsj1lnN24TN6L7kOYV5OQ5vvx/lp8ZP
OHVroo5rfmbK7Dcz7ILdkxfEn33isX8K84tjX7nF3GaPkhHkaE6A3f1dMIN51Ssl
YktFImrXLtBtXmkPb3j22dPJHZpNuya2taT74VsChP5wsFgYXZalD/p3zL7jw8eZ
kbNMFs5RwsJZORB5+ivZDNdmzOSnTMOxpHDmphZEaOHbxFWZM2PKQPKI6l34C3rP
JUHgawFTJvfv205eyoH8PAfQDeGBz2o7w34ia+6Ia6beXR8JDwwKs5qoqy/eSbth
3mQwooOp9cA=
=38T/
-----END PGP SIGNATURE-----