Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2009-2659

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.

Related bugs and status

CVE-2009-2659 (Candidate) is related to these bugs:

Bug #408825: security update micro-release

		In	Importance	Status
408825	security update micro-release	python-django (Ubuntu)	Undecided	Fix Released
408825	security update micro-release	python-django (Ubuntu Jaunty)	Undecided	Fix Released
408825	security update micro-release	python-django (Ubuntu Dapper)	Undecided	Invalid
408825	security update micro-release	python-django (Ubuntu Hardy)	Undecided	Won't Fix
408825	security update micro-release	python-django (Ubuntu Intrepid)	Undecided	Invalid
408825	security update micro-release	python-django (Ubuntu Karmic)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2009072...
CONFIRM: http://bugs.debian.org...
CONFIRM: http://code.djangoproj...
CONFIRM: http://www.djangoproje...
BID: 35859
FEDORA: FEDORA-2009-8169
FEDORA: FEDORA-2009-8177
SECUNIA: 36137
SECUNIA: 36153