FreeBSD : django -- multiple vulnerabilities (14a37474-1383-11e0-8a58-00215c6a37bb)
Medium Nessus Plugin ID 51393
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionDjango project reports :
Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. Information leakage in Django administrative interface The Django administrative interface, django.contrib.admin supports filtering of displayed lists of objects by fields on the corresponding models, including across database-level relationships.
This is implemented by passing lookup arguments in the querystring portion of the URL, and options on the ModelAdmin class allow developers to specify particular fields or relationships which will generate automatic links for filtering. Denial-of-service attack in password-reset mechanism Django's bundled authentication framework, django.contrib.auth, offers views which allow users to reset a forgotten password. The reset mechanism involves generating a one-time token composed from the user's ID, the timestamp of the reset request converted to a base36 integer, and a hash derived from the user's current password hash (which will change once the reset is complete, thus invalidating the token).
SolutionUpdate the affected packages.