[Bug 1130445] Re: Security releases issued - Django 1.3.6, Django 1.4.4

Launchpad Bug Tracker 1130445 at bugs.launchpad.net
Thu Mar 7 17:59:12 UTC 2013 

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.6

---------------
python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/settings.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
      docs/topics/forms/modelforms.txt, add tests to
      tests/regressiontests/forms/tests/formsets.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Mon, 04 Mar 2013 10:13:59 -0500

** Changed in: python-django (Ubuntu Precise)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1130445

Title:
  Security releases issued - Django 1.3.6, Django 1.4.4

Status in “python-django” package in Ubuntu:
  Confirmed
Status in “python-django” source package in Lucid:
  Fix Released
Status in “python-django” source package in Oneiric:
  Fix Released
Status in “python-django” source package in Precise:
  Fix Released
Status in “python-django” source package in Quantal:
  Fix Released
Status in “python-django” source package in Raring:
  Confirmed

Bug description:
  Here's a brief summary of each issue and its resolution:

  Issue: Host header poisoning: an attacker could cause Django to
  generate and display URLs that link to arbitrary domains. This could
  be used as part of a phishing attack. These releases fix this problem
  by introducing a new setting, ALLOWED_HOSTS, which specifies a
  whitelist of domains your site is known to respond to.

  Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
  allow all hosts. This means that to actually fix the security
  vulnerability you should define this setting yourself immediately
  after upgrading.

  Issue: Formset denial-of-service: an attacker can abuse Django's
  tracking of the number of forms in a formset to cause a denial-of-
  service attack. This has been fixed by adding a default maximum number
  of forms of 1,000. You can still manually specify a bigger max_num, if
  you wish, but 1,000 should be enough for anyone.

  Issue: XML denial of service attacks: Django's serialization framework
  was vulnerable to denial of service attacks via XML entity expansion
  and external references; this is now fixed. However, if you're parsing
  arbitrary XML in other parts of your application, we recommend you
  look into the defusedxml Python packages which remedy this anywhere
  you parse XML, not just via Django's serialization framework.

  Issue: Data leakage via admin history log: Django's admin interface
  could expose supposedly-hidden information via its history log. This
  has been fixed.

  
  https://www.djangoproject.com/weblog/2013/feb/19/security/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1130445/+subscriptions

More information about the foundations-bugs mailing list