[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [USN-1040-1] Django vulnerabilities



===========================================================
Ubuntu Security Notice USN-1040-1          January 07, 2011
python-django vulnerabilities
CVE-2010-4534, CVE-2010-4535
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  python-django                   1.1.1-1ubuntu1.1

Ubuntu 10.04 LTS:
  python-django                   1.1.1-2ubuntu1.2

Ubuntu 10.10:
  python-django                   1.2.3-1ubuntu0.2.10.10.1

In general, a standard system update will make all the necessary changes.

Details follow:

Adam Baldwin discovered that Django did not properly validate query string
lookups. This could be exploited to provide an information leak to an
attacker with admin privilieges. (CVE-2010-4534)

Paul McMillan discovered that Django did not validate the length of the
token used when generating a password reset. An attacker could exploit
this to cause a denial of service via resource exhaustion. (CVE-2010-4535)


Updated packages for Ubuntu 9.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.diff.gz
      Size/MD5:    20554 69008b0041f74d261d2dfd833f0cbc71
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1.dsc
      Size/MD5:     2215 80222eacb212cce9d95bd988313f1f72
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-1ubuntu1.1_all.deb
      Size/MD5:  1528844 e46b0b9ab737be222c70d9e5c0445a31
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-1ubuntu1.1_all.deb
      Size/MD5:  3869262 679a5d0e5668402d7d019e3a7c73d851

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.diff.gz
      Size/MD5:    43848 69baf8e98b78de3762e12023f71d0704
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2.dsc
      Size/MD5:     2215 d18df1b93b0953664165c15870852145
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1.orig.tar.gz
      Size/MD5:  5614106 d7839c192e115f9c4dd8777de24dc21c

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.1.1-2ubuntu1.2_all.deb
      Size/MD5:  1538222 f962bfdfb7feb43460d2a7124190c4e6
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.1.1-2ubuntu1.2_all.deb
      Size/MD5:  3881736 455508583d9a7aea7f7555ad376824f5

Updated packages for Ubuntu 10.10:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.debian.tar.gz
      Size/MD5:    21609 391d97abadfcdfcc723b47073359f885
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1.dsc
      Size/MD5:     2281 336e74a9d11c13359b9470dec5c4b89f
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3.orig.tar.gz
      Size/MD5:  6306760 10bfb5831bcb4d3b1e6298d0e41d6603

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django-doc_1.2.3-1ubuntu0.2.10.10.1_all.deb
      Size/MD5:  1906098 5a1417117c2a2825d93bded7ca785824
    
http://security.ubuntu.com/ubuntu/pool/main/p/python-django/python-django_1.2.3-1ubuntu0.2.10.10.1_all.deb
      Size/MD5:  4213194 6cd0e133466c7b624a99c74c3dc56e3c



Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/