From upstream advisory at $URL: Today the Django team is issuing multiple releases -- Django 1.3.2 and Django 1.4.1 -- to remedy security issues reported to us. they fix: -Cross-site scripting in authentication views -Denial-of-service in image validation -Denial-of-service via get_image_dimensions()
+*django-1.4.1 (31 Jul 2012) +*django-1.3.2 (31 Jul 2012) + + 31 Jul 2012; Kacper Kowalik <xarthisius@gentoo.org> +django-1.3.2.ebuild, + +django-1.4.1.ebuild: + Version bump wrt #428780 by Agostino Sarubbo <ago@gentoo.org>. Thanks to + Xelnor for the report on irc and testing + @security all yours
Arches, please test and mark stable: =dev-python/django-1.3.2 Target KEYWORDS : "amd64 x86"
CVE-2012-3444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3444): The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. CVE-2012-3443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3443): The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. CVE-2012-3442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3442): The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
x86 stable
amd64 stable
security please vote.
Thanks, folks. GLSA Vote: no.
Vote: NO, closing noglsa.