Summary: | <dev-python/django-1.{4.20,6.11,7,7}: multiple vulnerabilities DOS & XSS (CVE-2015-{2316,2317}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Justin Lecher (RETIRED) <jlec> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Justin Lecher (RETIRED)
2015-03-19 07:40:46 UTC
+*django-1.4.20 (19 Mar 2015) +*django-1.6.11 (19 Mar 2015) +*django-1.7.7 (19 Mar 2015) + + 19 Mar 2015; Justin Lecher <jlec@gentoo.org> +django-1.4.20.ebuild, + +django-1.6.11.ebuild, +django-1.7.7.ebuild, -django-1.7.6.ebuild: + Version Bump, fixes CVE-2015-231{6,7} bug #543754 + @arches please stable, dev-python/django-1.4.20 dev-python/django-1.6.11 x86 done. amd64 stable. Maintainer(s), please cleanup. Security, please vote. + 24 Mar 2015; Justin Lecher <jlec@gentoo.org> -django-1.4.19.ebuild, + -django-1.6.10.ebuild: + Clean up after sec stabilization, bug #543754 + Arches, Thank you for your work. GLSA Vote: No CVE-2015-2317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2317): The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. CVE-2015-2316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2316): The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. GLSA vote: no. Closing as [noglsa] |