Security releases issued - Django 1.3.6, Django 1.4.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Oneiric |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Unassigned | ||
Raring |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Here's a brief summary of each issue and its resolution:
Issue: Host header poisoning: an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.
Issue: Formset denial-of-service: an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.
Issue: XML denial of service attacks: Django's serialization framework was vulnerable to denial of service attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.
Issue: Data leakage via admin history log: Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.
information type: | Public → Public Security |
Changed in python-django (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Lucid): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Quantal): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Raring): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Raring): | |
status: | Confirmed → Fix Released |
This bug was fixed in the package python-django - 1.3-2ubuntu1.6
---------------
python-django (1.3-2ubuntu1.6) oneiric-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337) patches/ fix_get_ host.patch: tighten host header validation in http/__ init__. py, add tests to regressiontests /requests/ tests.py. /www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/ patches/ fix_redirect_ poisoning. patch: tighten validation in contrib/ auth/views. py, contrib/ comments/ views/comments. py, contrib/ comments/ views/moderatio n.py, contrib/ comments/ views/utils. py, django/ utils/http. py, views/i18n. py, add tests to regressiontests /comment_ tests/tests/ comment_ view_tests. py, regressiontests /comment_ tests/tests/ moderation_ view_tests. py, regressiontests /views/ tests/i18n. py. /www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/ patches/ add_allowed_ hosts.patch: add new ALLOWED_HOSTS setting conf/global_ settings. py, conf/project_ template/ settings. py, http/__ init__. py, django/ test/utils. py, add docs to ref/settings. txt, add tests to regressiontests /requests/ tests.py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 166x.patch: forbid DTDs, entity expansion, core/serializer s/xml_serialize r.py, add tests to regressiontests /serializers_ regress/ tests.py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 0305.patch: add permission checks to history contrib/ admin/options. py, add tests to regressiontests /admin_ views/tests. py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/ patches/ CVE-2013- 0306.patch: limit maximum number of forms in forms/formsets. py, add docs to docs/topics/ forms/formsets. txt, topics/ forms/modelform s.txt, add tests to regressiontests /forms/ tests/formsets. py. /www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- debian/
django/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/
django/
django/
django/
django/
django/
tests/
tests/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/
to django/
django/
django/
docs/
tests/
- https:/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/
and external entities/DTDs in
django/
tests/
- https:/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/
view in django/
tests/
- https:/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/
django/
docs/
tests/
- https:/
- CVE-2013-0306
-- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:33:54 -0500