Support / Sécurité / Annonces de sécurité / Mandriva Enterprise Server 5 / MDVSA-2009:276

Nom du paquet: python-django
Date: 2009-10-13
Advisory ID: MDVSA-2009:276
Affected versions: 2009.0 x86_64 , MES5 i586 , 2009.1 i586 , 2009.0 i586 , 2009.1 x86_64 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in python-django:

The Admin media handler in core/servers/basehttp.py in Django 1.0
and 0.96 does not properly map URL requests to expected static media
files, which allows remote attackers to conduct directory traversal
attacks and read arbitrary files via a crafted URL (CVE-2009-2659).

Algorithmic complexity vulnerability in the forms library in Django
1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause
a denial of service (CPU consumption) via a crafted (1) EmailField
(email address) or (2) URLField (URL) that triggers a large amount
of backtracking in a regular expression (CVE-2009-3695).

The versions of Django shipping with Mandriva Linux have been updated
to the latest patched version that include the fix for this issue.
In addition, they provide other bug fixes.

Updated packages

2009.0 x86_64

 9d5f9d82a19922ae82a33d60382f045f  2009.0/x86_64/python-django-1.0.4-0.1mdv2009.0.noarch.rpm 
 bd7dc74abdc388afe2743b180f8ae5a1  2009.0/SRPMS/python-django-1.0.4-0.1mdv2009.0.src.rpm

MES5 i586

 4f81003d7801b53640dc16939c510b0a  mes5/i586/python-django-1.0.4-0.1mdvmes5.noarch.rpm 
 06d01833a4447328cf6ac6937cc1cc8a  mes5/SRPMS/python-django-1.0.4-0.1mdvmes5.src.rpm

2009.1 i586

 0027cec9a30e25f38fdb2fa68da6cf58  2009.1/i586/python-django-1.0.4-0.1mdv2009.1.noarch.rpm 
 de002eb7492111f1ac473fd91de49165  2009.1/SRPMS/python-django-1.0.4-0.1mdv2009.1.src.rpm

2009.0 i586

 eeb3f3a8fdbf4ae7e973c5b0ab95aee8  2009.0/i586/python-django-1.0.4-0.1mdv2009.0.noarch.rpm 
 bd7dc74abdc388afe2743b180f8ae5a1  2009.0/SRPMS/python-django-1.0.4-0.1mdv2009.0.src.rpm

2009.1 x86_64

 1d68b5b742e4618094cf651c95322b82  2009.1/x86_64/python-django-1.0.4-0.1mdv2009.1.noarch.rpm 
 de002eb7492111f1ac473fd91de49165  2009.1/SRPMS/python-django-1.0.4-0.1mdv2009.1.src.rpm

MES5 x86_64

 a0bb40c44b9d496aff726c527ecdce05  mes5/x86_64/python-django-1.0.4-0.1mdvmes5.noarch.rpm 
 06d01833a4447328cf6ac6937cc1cc8a  mes5/SRPMS/python-django-1.0.4-0.1mdvmes5.src.rpm

MDVSA-2009:276