diff options
author | Li-Wen Hsu <lwhsu@FreeBSD.org> | 2013-01-06 18:14:23 +0000 |
---|---|---|
committer | Li-Wen Hsu <lwhsu@FreeBSD.org> | 2013-01-06 18:14:23 +0000 |
commit | ea301099216326cc9631fbd406f14596bbf3995a (patch) | |
tree | 18425a2e18326d02f171252e3c02c33e27992234 /security | |
parent | ede09e7ce8a5c947c846b28c63cfc5abec873da0 (diff) | |
download | ports-ea301099216326cc9631fbd406f14596bbf3995a.tar.gz ports-ea301099216326cc9631fbd406f14596bbf3995a.zip |
Notes
Diffstat (limited to 'security')
-rw-r--r-- | security/vuxml/vuln.xml | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index f4a3b811f731..92748ffaf248 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,80 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e"> + <topic>django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>django</name> + <range><lt>1.4.3</lt></range> + </package> + <package> + <name>django13</name> + <range><lt>1.3.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Django Project reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/"> + <ol> + <li> + <p>Host header poisoning</p> + <p>Several earlier Django security releases focused on the issue of + poisoning the HTTP Host header, causing Django to generate URLs + pointing to arbitrary, potentially-malicious domains.</p> + <p>In response to further input received and reports of continuing + issues following the previous release, we're taking additional + steps to tighten Host header validation. Rather than attempt to + accommodate all features HTTP supports here, Django's Host header + validation attempts to support a smaller, but far more common, subset:</p> + <ul> + <li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen + ('-') or dot ('.').</li> + <li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li> + <li>Port, if specified, is numeric.</li> + </ul> + <p>Any deviation from this will now be rejected, raising the exception + django.core.exceptions.SuspiciousOperation.</p> + </li> + <li> + <p>Redirect poisoning</p> + <p>Also following up on a previous issue: in July of this year, we made + changes to Django's HTTP redirect classes, performing additional + validation of the scheme of the URL to redirect to (since, both + within Django's own supplied applications and many third-party + applications, accepting a user-supplied redirect target is a common + pattern).</p> + <p>Since then, two independent audits of the code turned up further + potential problems. So, similar to the Host-header issue, we are + taking steps to provide tighter validation in response to reported + problems (primarily with third-party applications, but to a certain + extent also within Django itself). This comes in two parts:</p> + <ol> + <li>A new utility function, django.utils.http.is_safe_url, is + added; this function takes a URL and a hostname, and checks + that the URL is either relative, or if absolute matches the + supplied hostname. This function is intended for use whenever + user-supplied redirect targets are accepted, to ensure that + such redirects cannot lead to arbitrary third-party sites.</li> + <li>All of Django's own built-in views -- primarily in the + authentication system -- which allow user-supplied redirect + targets now use is_safe_url to validate the supplied URL.</li> + </ol> + </li> + </ol> + </blockquote> + </body> + </description> + <references> + <url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url> + </references> + <dates> + <discovery>2012-12-10</discovery> + <entry>2013-01-06</entry> + </dates> + </vuln> + <vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40"> <topic>freetype -- Multiple vulnerabilities</topic> <affects> |