Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : python-django vulnerabilities (USN-1757-1)

Ubuntu Security Notice (C) 2013 Canonical, Inc. / NASL script (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

James Kettle discovered that Django did not properly filter the Host
HTTP header when processing certain requests. An attacker could
exploit this to generate and display arbitrary URLs to users. Although
this issue had been previously addressed in USN-1632-1, this update
adds additional hardening measures to host header validation. This
update also adds a new ALLOWED_HOSTS setting that can be set to a list
of acceptable values for headers. (CVE-2012-4520)

Orange Tsai discovered that Django incorrectly performed permission
checks when displaying the history view in the admin interface. An
administrator could use this flaw to view the history of any object,
regardless of intended permissions. (CVE-2013-0305)

It was discovered that Django incorrectly handled a large number of
forms when generating formsets. An attacker could use this flaw to
cause Django to consume memory, resulting in a denial of service.
(CVE-2013-0306)

It was discovered that Django incorrectly deserialized XML. An
attacker could use this flaw to perform entity-expansion and
external-entity/DTD attacks. This updated modified Django behaviour to
no longer allow DTDs, perform entity expansion, or fetch external
entities/DTDs. (CVE-2013-1664, CVE-2013-1665).

Solution :

Update the affected python-django package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 5.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 65096 ()

Bugtraq ID: 56146
58022
58061

CVE ID: CVE-2012-4520
CVE-2013-0305
CVE-2013-0306
CVE-2013-1664
CVE-2013-1665