Jump to content
Compatible Support Forums
Sign in to follow this  

Win a Verbatim 16GB Store 'n' Go Mini Metal USB 3.0 Flash Drive @ ModSynergy.com

Recommended Posts


Hash: SHA512


- -------------------------------------------------------------------------

Debian Security Advisory DSA-3010-1 security ( -at -) debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

August 22, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------


Package : python-django

CVE ID : CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483


Several vulnerabilities were discovered in Django, a high-level Python

web development framework. The Common Vulnerabilities and Exposures

project identifies the following problems:




Florian Apolloner discovered that in certain situations, URL

reversing could generate scheme-relative URLs which could

unexpectedly redirect a user to a different host, leading to

phishing attacks.




David Wilson reported a file upload denial of service vulnerability.

Django's file upload handling in its default configuration may

degrade to producing a huge number of `os.stat()` system calls when

a duplicate filename is uploaded. A remote attacker with the ability

to upload files can cause poor performance in the upload handler,

eventually causing it to become very slow.




David Greisen discovered that under some circumstances, the use of

the RemoteUserMiddleware middleware and the RemoteUserBackend

authentication backend could result in one user receiving another

user's session, if a change to the REMOTE_USER header occurred

without corresponding logout/login actions.




Collin Anderson discovered that it is possible to reveal any field's

data by modifying the "popup" and "to_field" parameters of the query

string on an admin change form page. A user with access to the admin

interface, and with sufficient knowledge of model structure and the

appropriate URLs, could construct popup views which would display

the values of non-relationship fields, including fields the

application developer had not intended to expose in such a fashion.


For the stable distribution (wheezy), these problems have been fixed in

version 1.4.5-1+deb7u8.


For the unstable distribution (sid), these problems have been fixed in

version 1.6.6-1.


We recommend that you upgrade your python-django packages.


Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/




Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this