Ubuntu Security Notice 1757-1 - James Kettle discovered that Django did not properly filter the Host HTTP header when processing certain requests. An attacker could exploit this to generate and display arbitrary URLs to users. Although this issue had been previously addressed in USN-1632-1, this update adds additional hardening measures to host header validation. This update also adds a new ALLOWED_HOSTS setting that can be set to a list of acceptable values for headers. Orange Tsai discovered that Django incorrectly performed permission checks when displaying the history view in the admin interface. An administrator could use this flaw to view the history of any object, regardless of intended permissions. Various other issues were also addressed.
02719f42729583dd3407a3d30c2eedacc1f12b2e9836c0ea0740e3d9ef6cf3adDebian Linux Security Advisory 2634-1 - Several vulnerabilities have been discovered in python-django, a high-level python web development framework.
8377d247b2330890d79f474d182321f1f3ac22f1b48dd7ed09f05e3891683554Mandriva Linux Security Advisory 2012-181 - Multiple host header poisoning flaws were found and fixed in Django. The updated packages have been upgraded to the 1.3.5 version which is not affected by these issues.
9bce0d06f9a983370a47c9bda523a29bc653990c43314967da3f82c2062f4253Ubuntu Security Notice 1632-1 - James Kettle discovered Django did not properly filter the Host HTTP header when processing certain requests. An attacker could exploit this to generate and display arbitrary URLs to users.
af841a1738e970b1e603143399c27d062622d706fd0253e96d22045a7786a0ff
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed