Date: 10 January 2011
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0023
Django vulnerabilities
10 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django
Publisher: Ubuntu
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4535 CVE-2010-4534
Original Bulletin:
http://www.ubuntu.com/usn/usn-1040-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running python-django check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
Ubuntu Security Notice USN-1040-1 January 07, 2011
python-django vulnerabilities
CVE-2010-4534, CVE-2010-4535
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
python-django 1.1.1-1ubuntu1.1
Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.2
Ubuntu 10.10:
python-django 1.2.3-1ubuntu0.2.10.10.1
In general, a standard system update will make all the necessary changes.
Details follow:
Adam Baldwin discovered that Django did not properly validate query string
lookups. This could be exploited to provide an information leak to an
attacker with admin privilieges. (CVE-2010-4534)
Paul McMillan discovered that Django did not validate the length of the
token used when generating a password reset. An attacker could exploit
this to cause a denial of service via resource exhaustion. (CVE-2010-4535)
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.diff.gz
Size/MD5: 20554 69008b0041f74d261d2dfd833f0cbc71
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.dsc
Size/MD5: 2215 80222eacb212cce9d95bd988313f1f72
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-1ubuntu1.1_all.deb
Size/MD5: 1528844 e46b0b9ab737be222c70d9e5c0445a31
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1_all.deb
Size/MD5: 3869262 679a5d0e5668402d7d019e3a7c73d851
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.diff.gz
Size/MD5: 43848 69baf8e98b78de3762e12023f71d0704
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.dsc
Size/MD5: 2215 d18df1b93b0953664165c15870852145
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-2ubuntu1.2_all.deb
Size/MD5: 1538222 f962bfdfb7feb43460d2a7124190c4e6
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2_all.deb
Size/MD5: 3881736 455508583d9a7aea7f7555ad376824f5
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.debian.tar.gz
Size/MD5: 21609 391d97abadfcdfcc723b47073359f885
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.dsc
Size/MD5: 2281 336e74a9d11c13359b9470dec5c4b89f
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz
Size/MD5: 6306760 10bfb5831bcb4d3b1e6298d0e41d6603
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.2.10.10.1_all.deb
Size/MD5: 1906098 5a1417117c2a2825d93bded7ca785824
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1_all.deb
Size/MD5: 4213194 6cd0e133466c7b624a99c74c3dc56e3c
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFNKpAO/iFOrG6YcBERAtIuAKCg52/cikeL1eqM9WRFkPshXvQHmACfb1iV
4gDyj+1eaELWVcx6zsnKl0w=
=qFoO
-----END PGP SIGNATURE-----
|