[TAF] wml://security/2011/dsa-2163.wml
<define-tag description>multiple vulnerabilities</define-tag>
<define-tag moreinfo>
<p>Several vulnerabilities were discovered in the Django web development
framework:</p>
<ul>
<li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0696";>CVE-2011-0696</a>
<p>For several reasons the internal CSRF protection was not used to
validate AJAX requests in the past. However, it was discovered that
this exception can be exploited with a combination of browser plugins
and redirects and thus is not sufficient.</p></li>
<li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0697";>CVE-2011-0697</a>
<p>It was discovered that the file upload form is prone to cross-site
scripting attacks via the file name.</p></li>
</ul>
<p>It is important to note that this update introduces minor backward
incompatibilities due to the fixes for the above issues.
For the exact details, please see: <url http://docs.djangoproject.com/en/1.2/releases/1.2.5/>
and in particular the <q>Backwards incompatible changes</q> section.</p>
<p>Packages in the oldstable distribution (lenny) are not affected by these
problems.</p>
<p>For the stable distribution (squeeze), this problem has been fixed in
version 1.2.3-3+squeeze1.</p>
<p>For the testing distribution (wheezy), this problem will be fixed soon.</p>
<p>For the unstable distribution (sid), this problem has been fixed in
version 1.2.5-1.</p>
<p>We recommend that you upgrade your python-django packages.</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2011/dsa-2163.data"
# $Id: dsa-2163.wml,v 1.2 2011-02-14 21:40:51 taffit-guest Exp $
Reply to: