Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 336594 (CVE-2010-3082)

Summary: =dev-python/django-1.2* XSS via csrf_token (CVE-2010-3082)
Product: Gentoo Security Reporter: Albert W. Hopkins <marduk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.djangoproject.com/weblog/2010/sep/08/security-release/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Albert W. Hopkins 2010-09-09 13:42:42 UTC
FYI there is an security issue found in django 1.2.1.  A fix has been applied to django 1.2.2:

http://www.djangoproject.com/weblog/2010/sep/08/security-release/
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-09 14:17:39 UTC
Summary from $URL:
The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.

Affected versions:
=dev-python/django-1.2* (~arch only)
Comment 2 Albert W. Hopkins 2010-09-11 22:34:39 UTC
Django 1.2.3 has been released. This release deals with some issues caused by Django 1.2.2.

See
http://www.djangoproject.com/weblog/2010/sep/10/123/
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-22 19:39:57 UTC
dev-python/django-1.2.3 has been added to the tree. Vulnerable versions have been deleted.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-23 20:06:54 UTC
thanks, closing without glsa.