Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428780 - <dev-python/django-1.3.2 : Multiple vulnerabilities (CVE-2012-{3442,3443,3444})
Summary: <dev-python/django-1.3.2 : Multiple vulnerabilities (CVE-2012-{3442,3443,3444})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-31 09:11 UTC by Agostino Sarubbo
Modified: 2012-08-14 16:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-07-31 09:11:12 UTC
From upstream advisory at $URL:

Today the Django team is issuing multiple releases -- Django 1.3.2 and Django 1.4.1 -- to remedy security issues reported to us.

they fix:
-Cross-site scripting in authentication views
-Denial-of-service in image validation
-Denial-of-service via get_image_dimensions()
Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-07-31 12:02:20 UTC
+*django-1.4.1 (31 Jul 2012)
+*django-1.3.2 (31 Jul 2012)
+
+  31 Jul 2012; Kacper Kowalik <xarthisius@gentoo.org> +django-1.3.2.ebuild,
+  +django-1.4.1.ebuild:
+  Version bump wrt #428780 by Agostino Sarubbo <ago@gentoo.org>. Thanks to
+  Xelnor for the report on irc and testing
+

@security all yours
Comment 2 Agostino Sarubbo gentoo-dev 2012-07-31 12:28:14 UTC
Arches, please test and mark stable:
=dev-python/django-1.3.2
Target KEYWORDS : "amd64 x86"
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-08-01 00:14:04 UTC
CVE-2012-3444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3444):
  The get_image_dimensions function in the image-handling functionality in
  Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all
  attempts to determine dimensions, which allows remote attackers to cause a
  denial of service (process or thread consumption) via a large TIFF image.

CVE-2012-3443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3443):
  The django.forms.ImageField class in the form system in Django before 1.3.2
  and 1.4.x before 1.4.1 completely decompresses image data during image
  validation, which allows remote attackers to cause a denial of service
  (memory consumption) by uploading an image file.

CVE-2012-3442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3442):
  The (1) django.http.HttpResponseRedirect and (2)
  django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and
  1.4.x before 1.4.1 do not validate the scheme of a redirect target, which
  might allow remote attackers to conduct cross-site scripting (XSS) attacks
  via a data: URL.
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-08-01 06:51:45 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-08-01 09:47:27 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-01 09:50:10 UTC
security please vote.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 15:49:11 UTC
Thanks, folks. GLSA Vote: no.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-08-14 16:04:10 UTC
Vote: NO, closing noglsa.