Date: Sun, 24 Feb 2013 14:23:46 +0000 (UTC) From: Po-Chien Lin <pclin@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r312867 - head/security/vuxml Message-ID: <201302241423.r1OENk5X064096@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pclin Date: Sun Feb 24 14:23:46 2013 New Revision: 312867 URL: http://svnweb.freebsd.org/changeset/ports/312867 Log: - Document Django 2013-02-21 vulnerabilty Approved by: araujo (mentor) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Feb 24 13:55:49 2013 (r312866) +++ head/security/vuxml/vuln.xml Sun Feb 24 14:23:46 2013 (r312867) @@ -51,6 +51,76 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="21c59f5e-7cc5-11e2-9c11-080027a5ec9a"> + <topic>django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py26-django</name> + <name>py27-django</name> + <range><ge>1.3</ge><lt>1.3.6</lt></range> + <range><ge>1.4</ge><lt>1.4.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Django Project reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2013/feb/19/security/">; + <p>These security releases fix four issues: one potential phishing + vector, one denial-of-service vector, an information leakage issue, + and a range of XML vulnerabilities.</p> + <ol> + <li> + <p>Host header poisoning</p> + <p>an attacker could cause Django to generate and display URLs that + link to arbitrary domains. This could be used as part of a phishing + attack. These releases fix this problem by introducing a new + setting, ALLOWED_HOSTS, which specifies a whitelist of domains your + site is known to respond to.</p> + <p>Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to + allow all hosts. This means that to actually fix the security + vulnerability you should define this setting yourself immediately + after upgrading.</p> + </li> + <li> + <p>Formset denial-of-service</p> + <p>an attacker can abuse Django's tracking of the number of forms in + a formset to cause a denial-of-service attack. This has been fixed + by adding a default maximum number of forms of 1,000. You can still + manually specify a bigger max_num, if you wish, but 1,000 should be + enough for anyone.</p> + </li> + <li> + <p>XML attacks</p> + <p>Django's serialization framework was vulnerable to attacks via XML + entity expansion and external references; this is now fixed. + However, if you're parsing arbitrary XML in other parts of your + application, we recommend you look into the defusedxml Python + packages which remedy this anywhere you parse XML, not just via + Django's serialization framework.</p> + </li> + <li> + <p>Data leakage via admin history log</p> + <p>Django's admin interface could expose supposedly-hidden + information via its history log. This has been fixed.</p> + </li> + </ol> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-1664</cvename> + <cvename>CVE-2013-1665</cvename> + <cvename>CVE-2013-0305</cvename> + <cvename>CVE-2013-0306</cvename> + <bid>58022</bid> + <bid>58061</bid> + </references> + <dates> + <discovery>2013-02-21</discovery> + <entry>2013-02-24</entry> + </dates> + </vuln> + <vuln vid="dfd92cb2-7d48-11e2-ad48-00262d5ed8ee"> <topic>chromium -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302241423.r1OENk5X064096>