Package name
Advisory ID
Affected versions
MES5 i586 , MBS1 x86_64 , MES5 x86_64

Problem description

A vulnerability has been discovered and corrected in python-django:

Rainer Koirikivi discovered a directory traversal vulnerability
with 'ssi' template tags in python-django, a high-level Python
web development framework. It was shown that the handling of the
'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes
for the {% ssi %} template tag, is vulnerable to a directory traversal
attack, by specifying a file path which begins as the absolute path
of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must
be in a position to alter templates on the site, or the site to be
attacked must have one or more templates making use of the 'ssi' tag,
and must allow some form of unsanitized user input to be used as an
argument to the 'ssi' tag (CVE-2013-4315).

The updated packages have been patched to correct this issue.

Updated packages

MES5 i586

 fcfdd74c10f1d320c689640553607289  mes5/i586/python-django-1.3.7-0.2mdvmes5.2.noarch.rpm 
 1db8ecba27f22c0a7e44d1f1aae827bf  mes5/SRPMS/python-django-1.3.7-0.2mdvmes5.2.src.rpm

MBS1 x86_64

 9b560a6a59e88e6530480fd00c5d28bc  mbs1/x86_64/python-django-1.3.7-1.2.mbs1.noarch.rpm 
 0a83da2368e8d27c1a4e4131341cb935  mbs1/SRPMS/python-django-1.3.7-1.2.mbs1.src.rpm

MES5 x86_64

 3707f6171b360dd898ef2fb6e4947eec  mes5/x86_64/python-django-1.3.7-0.2mdvmes5.2.noarch.rpm 
 1db8ecba27f22c0a7e44d1f1aae827bf  mes5/SRPMS/python-django-1.3.7-0.2mdvmes5.2.src.rpm