Debian Security Advisory

DSA-1640-1 python-django -- several vulnerabilities

Date Reported:
20 Sep 2008
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 497765, Bug 448838.
In Mitre's CVE dictionary: CVE-2008-3909, CVE-2007-5712.
More information:

Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. This is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909.

In this update the affected feature is disabled; this is in accordance with upstream's preferred solution for this situation.

This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisation framework, known as CVE-2007-5712.

For the stable distribution (etch), these problems have been fixed in version 0.95.1-1etch2.

For the unstable distribution (sid), these problems have been fixed in version 1.0-1.

We recommend that you upgrade your python-django package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.