| Summary: | dev-python/django < 0.96.3 cross-site request forgery (CSRF) (CVE-2008-3909) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Summers (RETIRED) <quantumsummers> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | python |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.djangoproject.com/weblog/2008/sep/02/security/ | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
The update to 0.96 removes some (limited to expiration of sessions) functionality, but retains overall backwards compatibility. New tarball is here: http://www.djangoproject.com/download/0.96.3/tarball/ Bump of existing ebuild works. Python herd, please bump as necessary. Hello, dev-python/django-0.96.2 and 1.0 already in tree. Thanks Matt! Best regards, Thanks (fixing whiteboard). |
The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered. Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active. Affected versions * Django development trunk * Django 0.96 * Django 0.95 * Django 0.91