You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa django

Sigurnosni nedostaci programskog paketa django

by ncert - 0

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:112
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-django
Date : June 10, 2014
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
python-django:

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7
before 1.7b4 does not properly include the (1) Vary: Cookie or (2)
Cache-Control header in responses, which allows remote attackers to
obtain sensitive information or poison the cache via a request from
certain browsers (CVE-2014-1418).

The django.util.http.is_safe_url function in Django 1.4 before
1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4
does not properly validate URLs, which allows remote attackers to
conduct open redirect attacks via a malformed URL, as demonstrated
by http:\djangoproject.com. (CVE-2014-3730).

The django.core.urlresolvers.reverse function in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 allows remote attackers to import and execute arbitrary Python
modules by leveraging a view that constructs URLs using user input
and a dotted Python path. (CVE-2014-0472).

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6,
1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached
CSRF token for all anonymous users, which allows remote attackers to
bypass CSRF protections by reading the CSRF cookie for anonymous users
(CVE-2014-0473).

The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 do not properly perform type conversion, which allows remote
attackers to have unspecified impact and vectors, related to MySQL
typecasting. (CVE-2014-0474).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
56dc2f984f2f82fc8000a6823eaa8413 mes5/i586/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm
3395a6fca97c935c2d98d2d32cad9e14 mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
1f6993703a66e4a050d922dce76ceb8c mes5/x86_64/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm
3395a6fca97c935c2d98d2d32cad9e14 mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTlqxJmqjQ0CJFipgRAoppAJ48r1tyBrsBhwBC3ksnlYFApJXCBACgu/4Z
80F66i8fmTHg+g8N4aIuWyA=
=DOsW
—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:113
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-django
Date : June 10, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
python-django:

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7
before 1.7b4 does not properly include the (1) Vary: Cookie or (2)
Cache-Control header in responses, which allows remote attackers to
obtain sensitive information or poison the cache via a request from
certain browsers (CVE-2014-1418).

The django.util.http.is_safe_url function in Django 1.4 before
1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4
does not properly validate URLs, which allows remote attackers to
conduct open redirect attacks via a malformed URL, as demonstrated
by http:\djangoproject.com. (CVE-2014-3730).

The django.core.urlresolvers.reverse function in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 allows remote attackers to import and execute arbitrary Python
modules by leveraging a view that constructs URLs using user input
and a dotted Python path. (CVE-2014-0472).

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6,
1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached
CSRF token for all anonymous users, which allows remote attackers to
bypass CSRF protections by reading the CSRF cookie for anonymous users
(CVE-2014-0473).

The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 do not properly perform type conversion, which allows remote
attackers to have unspecified impact and vectors, related to MySQL
typecasting. (CVE-2014-0474).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
b5c81c5dc930dd057bc84ab4c2c5e1ae mbs1/x86_64/python-django-1.3.7-1.4.mbs1.noarch.rpm
35585be4a7eaf1729895747c1669492f mbs1/SRPMS/python-django-1.3.7-1.4.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTlsDTmqjQ0CJFipgRAo5aAJwNpNvxeEZvRp6KJWW6aT+WncwkFwCgmNDC
oDR4UsWPzZRj7IuDtJOeG1A=
=iHJ3
—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

ncert
Top
More in Preporuke
Sigurnosni propust programskog paketa squid

Otkriven je sigurnosni propust u programskom paketu squid za operacijski sustav Mandriva. Otkriveni propust potencijalnim napadačima omogućuje izvođenje napada uskraćivanja...

Close