copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2013.0285 - [Win][UNIX/Linux][Debian] python-dja...
 

ESB-2013.0285 - [Win][UNIX/Linux][Debian] python-django: Multiple vulnerabilities
Date: 27 February 2013
References: ESB-2013.0328  ESB-2013.0418  ESB-2013.0419  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0285
                       python-django security update
                             27 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-django
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service              -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-1665 CVE-2013-0306 CVE-2013-0305
                   CVE-2012-4520  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2634

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running python-django check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2634-1                   security@debian.org
http://www.debian.org/security/                                Nico Golde
February 27, 2013                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : python-django
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-4520 CVE-2013-0305 CVE-2013-0306 CVE-2013-1665
Debian Bug     : 701186 696535 691145

Several vulnerabilities have been discovered in python-django, a high-level
python web development framework.  The Common Vulnerabilities and
Exposures project identifies the following problems:


CVE-2012-4520

    James Kettle discovered that django did not properly filter the HTTP
    Host header when processing certain requests. An attacker could exploit
    this to generate and cause parts of django, particularly the
    password-reset mechanism, to display arbitrary URLs to users.

CVE-2013-0305

    Orange Tsai discovered that the bundled administrative interface
    of django could expose supposedly-hidden information via its history
    log.

CVE-2013-0306

    Mozilla discovered that an attacker can abuse django's tracking of
    the number of forms in a formset to cause a denial-of-service attack
    due to extreme memory consumption.

CVE-2013-1665

    Michael Koziarski discovered that django's XML deserialization is
    vulnerable to entity-expansion and external-entity/DTD attacks.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.3-3+squeeze5.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.4-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEtTDAACgkQHYflSXNkfP88LwCgsgDmBiOX+FSTFcudZy+ORjH1
btIAn0jhDZINYeU9dbrPySi3xbNpaq51
=K8db
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUS2Pqe4yVqjM2NGpAQIEeg//ZbXLTByp1wFrDcJ9UrA5MEIWkw4uBW4U
KZPDfWzRAay/Y/CER8XqavvJe4N06DcqKK+28lf+YzwbU2qCnCaYIOjvqne+8dHY
zyc1oq1J/Gd14bjbOE9/2SBYHuDCrT5YerOx/PRMJM9gffUEFUPUTTqgb1MGDvyv
y9hjbvLF+85LKjAkWDFWFFQb+z92tW/LMA5ltDT10oi+q+Q+FmHCLQhlT4f5Nwoo
AuckFP3FaqzJikFFCGhVJErFeflSrfzRtCaXnsJdu4kURqqaTaVQi2uXNEmm1+tu
NE1jyB2ofTDd+iwKFclPpWjdbSiNY6cuCDD42/UMstGwggoieAKGWnuviKLFLlrR
OTBXDqYLLZ4k7rv3aoFCUJgxw8/5E8m2ikKUnquLJdEfINa0PFtvbeOlBkkYLtDO
GKT7u7wHRt4ykRgZeXcqIBZiebZaXiWmjAmaCbfCwFGpMF6VRz0oj8spvFtaBbBR
Ld1t6SXW4BX3T446K7C+ZpWZ2hzQ56tNn69T0qh54P5xECfWg7RMN4W47LHB8DQY
zeufQujydb58NcGWgW3ZpbyRYaKdYY3iOdE1sFLtUUab0yksiQtMDzSMUF0LBeIl
M7bH8/0WogEYoG9Bo9hUXpYFupBE94e/Br58170GZXJ2RFAgSDZnJ4gYv7wqYeba
7jxGnJPglno=
=z08r
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=17089