MDVSA-2012:143
- Nom du paquet
- python-django
- Date
- 2012-08-23
- Advisory ID
- MDVSA-2012:143
- Affected versions
- MES5 i586 , 2011 i586 , MES5 x86_64 , 2011 x86_64
Problem description
Multiple vulnerabilities has been discovered and corrected in
python-django:
The (1) django.http.HttpResponseRedirect and (2)
django.http.HttpResponsePermanentRedirect classes in Django before
1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect
target, which might allow remote attackers to conduct cross-site
scripting (XSS) attacks via a data: URL (CVE-2012-3442).
The django.forms.ImageField class in the form system in Django
before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image
data during image validation, which allows remote attackers to cause
a denial of service (memory consumption) by uploading an image file
(CVE-2012-3443).
The get_image_dimensions function in the image-handling functionality
in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk
size in all attempts to determine dimensions, which allows remote
attackers to cause a denial of service (process or thread consumption)
via a large TIFF image (CVE-2012-3444).
The updated packages have been upgraded to the 1.3.3 version which
is not vulnerable to these issues.
Updated packages
MES5 i586
0a3c29ad46d51eaf9d5cdf3bc1403609 mes5/i586/python-django-1.3.3-0.1mdvmes5.2.noarch.rpm 688d1e9c83f568a912aa67ebc42aa982 mes5/SRPMS/python-django-1.3.3-0.1mdvmes5.2.src.rpm
2011 i586
68725d98b343053372748fc043a9acf2 2011/i586/python-django-1.3.3-0.1-mdv2011.0.noarch.rpm 299698fbd6d338ef27056b7252086930 2011/SRPMS/python-django-1.3.3-0.1.src.rpm
MES5 x86_64
24bceea1424c615c4b2f4c9423717df1 mes5/x86_64/python-django-1.3.3-0.1mdvmes5.2.noarch.rpm 688d1e9c83f568a912aa67ebc42aa982 mes5/SRPMS/python-django-1.3.3-0.1mdvmes5.2.src.rpm
2011 x86_64
cf1c350871d68647a476d4ab31f93685 2011/x86_64/python-django-1.3.3-0.1-mdv2011.0.noarch.rpm 299698fbd6d338ef27056b7252086930 2011/SRPMS/python-django-1.3.3-0.1.src.rpm