Summary: | <dev-python/django-1.3.2 : Multiple vulnerabilities (CVE-2012-{3442,3443,3444}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-07-31 09:11:12 UTC
+*django-1.4.1 (31 Jul 2012) +*django-1.3.2 (31 Jul 2012) + + 31 Jul 2012; Kacper Kowalik <xarthisius@gentoo.org> +django-1.3.2.ebuild, + +django-1.4.1.ebuild: + Version bump wrt #428780 by Agostino Sarubbo <ago@gentoo.org>. Thanks to + Xelnor for the report on irc and testing + @security all yours Arches, please test and mark stable: =dev-python/django-1.3.2 Target KEYWORDS : "amd64 x86" CVE-2012-3444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3444): The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. CVE-2012-3443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3443): The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. CVE-2012-3442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3442): The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. x86 stable amd64 stable security please vote. Thanks, folks. GLSA Vote: no. Vote: NO, closing noglsa. |