Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 236527 (CVE-2008-3909)

Summary: dev-python/django < 0.96.3 cross-site request forgery (CSRF) (CVE-2008-3909)
Product: Gentoo Security Reporter: Matt Summers (RETIRED) <quantumsummers>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.djangoproject.com/weblog/2008/sep/02/security/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Matt Summers (RETIRED) gentoo-dev 2008-09-03 02:12:06 UTC
The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.
Affected versions

    * Django development trunk
    * Django 0.96
    * Django 0.95
    * Django 0.91
Comment 1 Matt Summers (RETIRED) gentoo-dev 2008-09-03 02:17:27 UTC
The update to 0.96 removes some (limited to expiration of sessions) functionality, but retains overall backwards compatibility. 

New tarball is here: http://www.djangoproject.com/download/0.96.3/tarball/

Bump of existing ebuild works.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-10 18:38:22 UTC
Python herd, please bump as necessary.
Comment 3 Jesus Rivero (RETIRED) gentoo-dev 2008-10-14 14:13:39 UTC
Hello, 

   dev-python/django-0.96.2 and 1.0 already in tree. Thanks Matt!

   Best regards, 
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-14 14:23:39 UTC
Thanks (fixing whiteboard).