Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0881 python-django security update 8 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2513 CVE-2016-2512 Reference: ASB-2016.0026 Original Bulletin: http://www.debian.org/security/2016/dsa-3544 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3544-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 07, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2016-2512 CVE-2016-2513 Debian Bug : 816434 Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-2512 Mark Striemer discovered that some user-supplied redirect URLs containing basic authentication credentials are incorrectly handled, potentially allowing a remote attacker to perform a malicious redirect or a cross-site scripting attack. CVE-2016-2513 Sjoerd Job Postmus discovered that Django allows user enumeration through timing difference on password hasher work factor upgrades. For the oldstable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u16. For the stable distribution (jessie), these problems have been fixed in version 1.7.7-1+deb8u4. For the testing distribution (stretch), these problems have been fixed in version 1.9.4-1. For the unstable distribution (sid), these problems have been fixed in version 1.9.4-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXBoj5AAoJEAVMuPMTQ89E2NMP/RdAvzYeuYZxkgw+ATPqvA1F MRp+0iaLQJ8Lh75lP0D6mIWnflFnmr2MQp217vIU86ubm9w8YQYkOkQmtzb5HWDV afP+HBPUUWYv0g2LnjIXOzqkenaRYRFGDo4YMOUPwiMNsoPVwaGkCMZ7tAEivEQ1 8xm+G7Ugll9xO0odJXBZpzVHAVLYMHWpvHGcjDENLmaxl/3Y1KVmVwhD+olLVXDP DP9Ow1Eprt0dPwEsJoAyY870T5a5BHp4cl5hSIVF5rm1dQ+i4RxVpish2dRSyicE E7JiaY9kYzHP2AYxQyPkjBPGf5Zx3t31asfiojJoNmsa57UJrjtWzVODmRgFgXuR GfhAmMdZ+HYDzAA0KYNR/2BJP7i/Zccr0lZsPGNX9aqfPQKKFAt4ZrDiQjasLMVV dTTr7hebQjQjRp98CJAa8UHrY6xmL7ifYy5YiBqmn9+jNiAOChB5sL8bxrtcbEJV IZPYA2D8IxRDstTQ/S0KcH5UKMUYIheaCdoC9WG+ohwALghAealU2yQ6g6fq8nTL tqnDWbEDq4cl07zlvsvZteDQUG/tmM0zc4WriKqjaj3SKiUy73OWPLN3cQX9S8Go BSf2v4xUhR5cpwEk/yqifZZPmocAfKOJItT9ci3lt2Bfs4H1e0eXS1yiPFTVpyUx cSbrxvB8fj1zAqS4Ur9p =NSZQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVwcOYX6ZAP0PgtI9AQJsJhAArW8fP0+vXjRu1M/Yfn/ToYa+TOtry87K 0WcpHg6l5NjzbktIcWYJhcCDYr2FDqbTu7Vn7ScUx8Jg9cn2HN+cKHdTQU6ppaTs P3ew8HW9jMPSUDhSiWp7mpF6MMXqi96zfYDDmLXGJQLVQp5s8/zZfndyH1iwugj/ 8cDcTbNkrDnJC1euLgMjBA+OWP8WzwHHnDo7MHKSBXIWaKPRELhI56BTdfUqDZxW AT9NNCIGkbxPOhCuI6hYqYfs2J7KGAJtqz/khZTWW2xHmwlRW6hedwu0IZAQMTBU TSCBQxcyv3M0VebMt+ZMTTGqAwHWkmHGBno8H80Hvy11PwX7up191JyWHCGHbpA4 Uq0SfiKtjiutBTzPvEK6aYeIJEVtAdtIzWgjak/V5pr/vYcrq0Irs50/DbU1tWPA Cl4+qRfOv33RHTJfkJ0aCuE3z5+ddI2B9NHuJCQCTplKlqgpe4KlN6vqGNp2BkkD so+Z6sK1RMms4SLiQTnxbL0JRoT7BmWUY89jLUQtkC15Unu/3Gu4oX6fQMMmKnHH vwpRPlRnFyZg6WPjYYWwIVEdnd4rXkt68AM1gXKT++biqh7/uvAJsKZaIWfk/asX 63jJr3ScXZF+mcwiwtzAWQ9vr/2+t7fQcqoTf2qbg4D8vEZZ1g2Yk5AoFYvXKbh1 2kaVMP/SzBQ= =p51s -----END PGP SIGNATURE-----