SECURITY - multiple vulnerabilities, upgrade needed to 1.2.5 or 1.1.4
Bug #719031 reported by
Guillaume Pratte
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Hardy |
Won't Fix
|
Medium
|
Unassigned | ||
Karmic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Maverick |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Natty |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Binary package hint: python-django
See this link: http://
No CVE seems to have been assigned yet.
" Today the Django team is issuing multiple releases -- Django 1.2.5 and Django 1.1.4 -- to remedy three security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. "
* Flaw in CSRF handling
* Potential XSS in file field rendering
* Directory-traversal vulnerability on Windows
visibility: | private → public |
Changed in python-django (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Karmic): | |
status: | New → Confirmed |
Changed in python-django (Ubuntu Lucid): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in python-django (Ubuntu Maverick): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in python-django (Ubuntu Natty): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in python-django (Ubuntu Karmic): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Hardy): | |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in python-django (Ubuntu Maverick): | |
status: | In Progress → Fix Committed |
Changed in python-django (Ubuntu Karmic): | |
status: | In Progress → Fix Committed |
Changed in python-django (Ubuntu Natty): | |
status: | Triaged → In Progress |
To post a comment you must log in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guillaume Pratte wrote: www.djangoproje ct.com/ weblog/ 2011/feb/ 08/security/
> See this link: http://
> No CVE seems to have been assigned yet.
As reported to us (Django), the following IDs have been assigned:
CVE-2011-0696 -- CSRF
CVE-2011-0697 -- file field XSS
CVE-2011-0698 -- directory traversal
- --
James Bennett
<email address hidden>
-----BEGIN PGP SIGNATURE----- enigmail. mozdev. org/
ZrLwACgkQNoTAwI yLKuG6nQCgou9wA a9lzkZmhT9zzPc1 cPok i/pLoiNu2mG1sge ai
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAk1
MEIAmgJd846BOUn
=UtW5
-----END PGP SIGNATURE-----