=========================================================== Ubuntu Security Notice USN-1040-1 January 07, 2011 python-django vulnerabilities CVE-2010-4534, CVE-2010-4535 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: python-django 1.1.1-1ubuntu1.1 Ubuntu 10.04 LTS: python-django 1.1.1-2ubuntu1.2 Ubuntu 10.10: python-django 1.2.3-1ubuntu0.2.10.10.1 In general, a standard system update will make all the necessary changes. Details follow: Adam Baldwin discovered that Django did not properly validate query string lookups. This could be exploited to provide an information leak to an attacker with admin privilieges. (CVE-2010-4534) Paul McMillan discovered that Django did not validate the length of the token used when generating a password reset. An attacker could exploit this to cause a denial of service via resource exhaustion. (CVE-2010-4535) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.diff.gz Size/MD5: 20554 69008b0041f74d261d2dfd833f0cbc71 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.dsc Size/MD5: 2215 80222eacb212cce9d95bd988313f1f72 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-1ubuntu1.1_all.deb Size/MD5: 1528844 e46b0b9ab737be222c70d9e5c0445a31 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1_all.deb Size/MD5: 3869262 679a5d0e5668402d7d019e3a7c73d851 Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.diff.gz Size/MD5: 43848 69baf8e98b78de3762e12023f71d0704 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.dsc Size/MD5: 2215 d18df1b93b0953664165c15870852145 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz Size/MD5: 5614106 d7839c192e115f9c4dd8777de24dc21c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-2ubuntu1.2_all.deb Size/MD5: 1538222 f962bfdfb7feb43460d2a7124190c4e6 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2_all.deb Size/MD5: 3881736 455508583d9a7aea7f7555ad376824f5 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.debian.tar.gz Size/MD5: 21609 391d97abadfcdfcc723b47073359f885 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.dsc Size/MD5: 2281 336e74a9d11c13359b9470dec5c4b89f http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz Size/MD5: 6306760 10bfb5831bcb4d3b1e6298d0e41d6603 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.2.10.10.1_all.deb Size/MD5: 1906098 5a1417117c2a2825d93bded7ca785824 http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1_all.deb Size/MD5: 4213194 6cd0e133466c7b624a99c74c3dc56e3c
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/