Debian Security Advisory
DSA-2332-1 python-django -- several issues
- Date Reported:
- 29 Oct 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 641405.
In Mitre's CVE dictionary: CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140.
- More information:
Paul McMillan, Mozilla and the Django core team discovered several vulnerabilities in Django, a Python web framework:
When using memory-based sessions and caching, Django sessions are stored directly in the root namespace of the cache. When user data is stored in the same cache, a remote user may take over a session.
- CVE-2011-4137, CVE-2011-4138
Django's field type URLfield by default checks supplied URL's by issuing a request to it, which doesn't time out. A Denial of Service is possible by supplying specially prepared URL's that keep the connection open indefinately or fill the Django's server memory.
Django used X-Forwarded-Host headers to construct full URL's. This header may not contain trusted input and could be used to poison the cache.
The CSRF protection mechanism in Django does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests.
For the oldstable distribution (lenny), this problem has been fixed in version 1.0.2-1+lenny3.
For the stable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze2.
For the testing (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.3.1-1.
We recommend that you upgrade your python-django packages.