1 files changed, 74 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index f4a3b811f731..92748ffaf248 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,80 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e">
+    <topic>django -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+        <name>django</name>
+        <range><lt>1.4.3</lt></range>
+      </package>
+      <package>
+        <name>django13</name>
+        <range><lt>1.3.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>The Django Project reports:</p>
+	<blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">
+        <ol>
+          <li>
+          <p>Host header poisoning</p>
+	  <p>Several earlier Django security releases focused on the issue of
+	      poisoning the HTTP Host header, causing Django to generate URLs
+	      pointing to arbitrary, potentially-malicious domains.</p>
+	  <p>In response to further input received and reports of continuing
+	      issues following the previous release, we're taking additional
+	      steps to tighten Host header validation. Rather than attempt to
+	      accommodate all features HTTP supports here, Django's Host header
+	      validation attempts to support a smaller, but far more common, subset:</p>
+	    <ul>
+		<li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen
+		    ('-') or dot ('.').</li>
+		<li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li>
+		<li>Port, if specified, is numeric.</li>
+	    </ul>
+	  <p>Any deviation from this will now be rejected, raising the exception
+	      django.core.exceptions.SuspiciousOperation.</p>
+          </li>
+          <li>
+          <p>Redirect poisoning</p>
+	  <p>Also following up on a previous issue: in July of this year, we made
+	      changes to Django's HTTP redirect classes, performing additional
+	      validation of the scheme of the URL to redirect to (since, both
+	      within Django's own supplied applications and many third-party
+	      applications, accepting a user-supplied redirect target is a common
+	      pattern).</p>
+	  <p>Since then, two independent audits of the code turned up further
+	      potential problems. So, similar to the Host-header issue, we are
+	      taking steps to provide tighter validation in response to reported
+	      problems (primarily with third-party applications, but to a certain
+	      extent also within Django itself). This comes in two parts:</p>
+	    <ol>
+		<li>A new utility function, django.utils.http.is_safe_url, is
+		    added; this function takes a URL and a hostname, and checks
+		    that the URL is either relative, or if absolute matches the
+		    supplied hostname. This function is intended for use whenever
+		    user-supplied redirect targets are accepted, to ensure that
+		    such redirects cannot lead to arbitrary third-party sites.</li>
+		<li>All of Django's own built-in views -- primarily in the
+		    authentication system -- which allow user-supplied redirect
+		    targets now use is_safe_url to validate the supplied URL.</li>
+	    </ol>
+          </li>
+          </ol>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+	<url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url>
+    </references>
+    <dates>
+      <discovery>2012-12-10</discovery>
+      <entry>2013-01-06</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40">
     <topic>freetype -- Multiple vulnerabilities</topic>
     <affects>