Articles / Debian: Security update for…

Debian: Security update for Django

Paul McMillan, Mozilla and the Django core team discovered several vulnerabilities in Django, a Python web framework. When using memory-based sessions and caching, Django sessions are stored directly in the root namespace of the cache. When user data is stored in the same cache, a remote user may take over a session. Django’s field type URLfield by default checks supplied URL’s by issuing a request to it, which doesn’t time out. A Denial of Service is possible by supplying specially prepared URL’s that keep the connection open indefinately or fill the Django’s server memory. Django used X-Forwarded-Host headers to construct full URL’s. This header may not contain trusted input and could be used to poison the cache.

The CSRF protection mechanism in Django does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests.

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2332-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
October 29, 2011                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
Vulnerability  : several issues
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 
                CVE-2011-4140 
Debian Bug     : 641405

Paul McMillan, Mozilla and the Django core team discovered several
vulnerabilities in Django, a Python web framework:

CVE-2011-4136

 When using memory-based sessions and caching, Django sessions are
 stored directly in the root namespace of the cache. When user data is
 stored in the same cache, a remote user may take over a session.

CVE-2011-4137, CVE-2011-4138

 Django's field type URLfield by default checks supplied URL's by
 issuing a request to it, which doesn't time out. A Denial of Service
 is possible by supplying specially prepared URL's that keep the
 connection open indefinately or fill the Django's server memory.

CVE-2011-4139

 Django used X-Forwarded-Host headers to construct full URL's. This
 header may not contain trusted input and could be used to poison the
 cache.

CVE-2011-4140

 The CSRF protection mechanism in Django does not properly handle
 web-server configurations supporting arbitrary HTTP Host headers,
 which allows remote attackers to trigger unauthenticated forged
 requests.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.3-3+squeeze2.

For the testing (wheezy) and unstable distribution (sid), this problem
has been fixed in version 1.3.1-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJOq5QOAAoJEOxfUAG2iX573FoH/3Ld4NEmMPQlRW9JmB3AAdsU
BjvYcbABkPRbQRJeIN9VAEF5+O0qxNjl7FjEfDXAjJ3iunxje4saddw2D/JLmH6J
I5Qmj2hKOXrnOnG6rPJHZDhc33023fVBCLqOekOIfukkDz7ShWwKglmzTHbzhJLr
cibWsHZc+7l583d3Q8pPR5CfVmFUGq9d+SO0E3Tp+r5iBOhT7KlHt+txTQ9Ir3UQ
u2cIo3LjEsyVjcsYTnfLSUANYnMLZqdROm/2GkSJlvrJFY2yac9T9eWAqLM4TrX3
eGjbNSWu6Zknd0o3VBlPuqVTxBDz3Wje0k9Rg7XcO/54+stIKo1VTTZ+3+No0bU=
=xhY3
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.