-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1640-1 security@xxxxxxxxxx http://www.debian.org/security/ Thijs Kinkhorst September 20, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : python-django Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-3909 CVE-2007-5712 Debian Bug : 497765 448838 Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. The is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909. In this update the affected feature is disabled; this is in accordance with upstream's preferred solution for this situation. This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisaton framework, known as CVE-2007-5712. For the stable distribution (etch), these problems have been fixed in version 0.95.1-1etch2. For the unstable distribution (sid), these problems have been fixed in version 1.0-1. We recommend that you upgrade your python-django package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.dsc Size/MD5 checksum: 940 62d31adf6a658ab089df66916148d2d8 http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1.orig.tar.gz Size/MD5 checksum: 1297839 07f09d8429916481e09e84fd01e97355 http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2.diff.gz Size/MD5 checksum: 8069 6e5e17af4148911137b1a8aebaa8096c Architecture independent packages: http://security.debian.org/pool/updates/main/p/python-django/python-django_0.95.1-1etch2_all.deb Size/MD5 checksum: 1025742 93417b16a120eada12b807b8372cc858 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSNT1Q2z0hbPcukPfAQLGLQgAsA4MuOT8zyDNY/lR4ONjr+t1eJr583er u77Z3nn5zGn6DoOUEww7tRV04I2iMI+s2jAbFLcw8j3Q7U+AY3HXtJq0Tlk2Zyup OKAZdiCNIYMR4gulWrs0MQG0cWePLvK5hjSL2Hmol651p288vVQ1k/CknCVX8j0s L/l+fB1XhOCvF2Mk985iBT5ZVw9fpHHjiK+QVE3HEayGNHzEr9oTE/GEhIYv6SZ0 eIWzmNHVYmBuevMun7Hn31AqYe4WRAfza+AWryt8RnGCGOVLbRFJ2YO4zsNh+9Ps p0GLXWM4JKqferyzZgwsl2/1sb7PdtWWgWynQbOSG/7NxsG5SyHDmA== =1lGA -----END PGP SIGNATURE-----
