Nome do pacote
python-django
Data
2014-06-10
ID Alerta
MDVSA-2014:112
Versões afetadas
MES5 i586 , MES5 x86_64

Descrição do problema

Multiple vulnerabilities has been discovered and corrected in
python-django:

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7
before 1.7b4 does not properly include the (1) Vary: Cookie or (2)
Cache-Control header in responses, which allows remote attackers to
obtain sensitive information or poison the cache via a request from
certain browsers (CVE-2014-1418).

The django.util.http.is_safe_url function in Django 1.4 before
1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4
does not properly validate URLs, which allows remote attackers to
conduct open redirect attacks via a malformed URL, as demonstrated
by http:\djangoproject.com. (CVE-2014-3730).

The django.core.urlresolvers.reverse function in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 allows remote attackers to import and execute arbitrary Python
modules by leveraging a view that constructs URLs using user input
and a dotted Python path. (CVE-2014-0472).

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6,
1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached
CSRF token for all anonymous users, which allows remote attackers to
bypass CSRF protections by reading the CSRF cookie for anonymous users
(CVE-2014-0473).

The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta
2 do not properly perform type conversion, which allows remote
attackers to have unspecified impact and vectors, related to MySQL
typecasting. (CVE-2014-0474).

The updated packages have been patched to correct these issues.

Pacotes atualizados

MES5 i586

 56dc2f984f2f82fc8000a6823eaa8413  mes5/i586/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm 
 3395a6fca97c935c2d98d2d32cad9e14  mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm

MES5 x86_64

 1f6993703a66e4a050d922dce76ceb8c  mes5/x86_64/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm 
 3395a6fca97c935c2d98d2d32cad9e14  mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm

Referências