Home / mailings [USN-2169-1] Django vulnerabilities
Posted on 22 April 2014
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2169-1
April 22, 2014
python-django vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue=
to cause Django to import arbitrary modules from the Python path, resulti=
ng
in possible code execution. (CVE-2014-0472)
Paul McMillan discovered that Django incorrectly cached certain pages tha=
t
contained CSRF cookies. An attacker could possibly use this flaw to obtai=
n
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)
Michael Koziarski discovered that Django did not always perform explicit
conversion of certain fields when using a MySQL database. An attacker
could possibly use this issue to obtain unexpected results. (CVE-2014-047=
4)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-django 1.6.1-2ubuntu0.1
Ubuntu 13.10:
python-django 1.5.4-1ubuntu1.1
Ubuntu 12.10:
python-django 1.4.1-2ubuntu0.5
Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.9
Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.10
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2169-1
CVE-2014-0472, CVE-2014-0473, CVE-2014-0474
Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-django/1.5.4-1ubuntu1.1
https://launchpad.net/ubuntu/+source/python-django/1.4.1-2ubuntu0.5
https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.9
https://launchpad.net/ubuntu/+source/python-django/1.1.1-2ubuntu1.10
