[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[TAF] wml://security/2011/dsa-2163.wml

<define-tag description>multiple vulnerabilities</define-tag>
<define-tag moreinfo>
<p>Several vulnerabilities were discovered in the Django web development


<li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0696";>CVE-2011-0696</a>

    <p>For several reasons the internal CSRF protection was not used to
    validate AJAX requests in the past. However, it was discovered that
    this exception can be exploited with a combination of browser plugins
    and redirects and thus is not sufficient.</p></li>

<li><a href="http://security-tracker.debian.org/tracker/CVE-2011-0697";>CVE-2011-0697</a>

    <p>It was discovered that the file upload form is prone to cross-site
    scripting attacks via the file name.</p></li>


<p>It is important to note that this update introduces minor backward
incompatibilities due to the fixes for the above issues.
For the exact details, please see: <url http://docs.djangoproject.com/en/1.2/releases/1.2.5/>
and in particular the <q>Backwards incompatible changes</q> section.</p>

<p>Packages in the oldstable distribution (lenny) are not affected by these

<p>For the stable distribution (squeeze), this problem has been fixed in
version 1.2.3-3+squeeze1.</p>

<p>For the testing distribution (wheezy), this problem will be fixed soon.</p>

<p>For the unstable distribution (sid), this problem has been fixed in
version 1.2.5-1.</p>

<p>We recommend that you upgrade your python-django packages.</p>


# do not modify the following line
#include "$(ENGLISHDIR)/security/2011/dsa-2163.data"
# $Id: dsa-2163.wml,v 1.2 2011-02-14 21:40:51 taffit-guest Exp $

Reply to: