[Bug 1130445] Re: Security releases issued - Django 1.3.6, Django 1.4.4

Marc Deslauriers marc.deslauriers at canonical.com
Sun Mar 10 16:35:15 UTC 2013 

** Changed in: python-django (Ubuntu Raring)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1130445

Title:
  Security releases issued - Django 1.3.6, Django 1.4.4

Status in “python-django” package in Ubuntu:
  Fix Released
Status in “python-django” source package in Lucid:
  Fix Released
Status in “python-django” source package in Oneiric:
  Fix Released
Status in “python-django” source package in Precise:
  Fix Released
Status in “python-django” source package in Quantal:
  Fix Released
Status in “python-django” source package in Raring:
  Fix Released

Bug description:
  Here's a brief summary of each issue and its resolution:

  Issue: Host header poisoning: an attacker could cause Django to
  generate and display URLs that link to arbitrary domains. This could
  be used as part of a phishing attack. These releases fix this problem
  by introducing a new setting, ALLOWED_HOSTS, which specifies a
  whitelist of domains your site is known to respond to.

  Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
  allow all hosts. This means that to actually fix the security
  vulnerability you should define this setting yourself immediately
  after upgrading.

  Issue: Formset denial-of-service: an attacker can abuse Django's
  tracking of the number of forms in a formset to cause a denial-of-
  service attack. This has been fixed by adding a default maximum number
  of forms of 1,000. You can still manually specify a bigger max_num, if
  you wish, but 1,000 should be enough for anyone.

  Issue: XML denial of service attacks: Django's serialization framework
  was vulnerable to denial of service attacks via XML entity expansion
  and external references; this is now fixed. However, if you're parsing
  arbitrary XML in other parts of your application, we recommend you
  look into the defusedxml Python packages which remedy this anywhere
  you parse XML, not just via Django's serialization framework.

  Issue: Data leakage via admin history log: Django's admin interface
  could expose supposedly-hidden information via its history log. This
  has been fixed.

  
  https://www.djangoproject.com/weblog/2013/feb/19/security/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1130445/+subscriptions

More information about the foundations-bugs mailing list