Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236527 (CVE-2008-3909) - dev-python/django < 0.96.3 cross-site request forgery (CSRF) (CVE-2008-3909)
Summary: dev-python/django < 0.96.3 cross-site request forgery (CSRF) (CVE-2008-3909)
Alias: CVE-2008-3909
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2008-09-03 02:12 UTC by Matt Summers (RETIRED)
Modified: 2008-10-14 14:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Summers (RETIRED) gentoo-dev 2008-09-03 02:12:06 UTC
The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.
Affected versions

    * Django development trunk
    * Django 0.96
    * Django 0.95
    * Django 0.91
Comment 1 Matt Summers (RETIRED) gentoo-dev 2008-09-03 02:17:27 UTC
The update to 0.96 removes some (limited to expiration of sessions) functionality, but retains overall backwards compatibility. 

New tarball is here:

Bump of existing ebuild works.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-10 18:38:22 UTC
Python herd, please bump as necessary.
Comment 3 Jesus Rivero (RETIRED) gentoo-dev 2008-10-14 14:13:39 UTC

   dev-python/django-0.96.2 and 1.0 already in tree. Thanks Matt!

   Best regards, 
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-14 14:23:39 UTC
Thanks (fixing whiteboard).