Detections
Analytics

FreeBSD : django -- multiple vulnerabilities (14a37474-1383-11e0-8a58-00215c6a37bb)

medium Nessus Plugin ID 51393

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Django project reports :

Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. Information leakage in Django administrative interface The Django administrative interface, django.contrib.admin supports filtering of displayed lists of objects by fields on the corresponding models, including across database-level relationships.
This is implemented by passing lookup arguments in the querystring portion of the URL, and options on the ModelAdmin class allow developers to specify particular fields or relationships which will generate automatic links for filtering. Denial-of-service attack in password-reset mechanism Django's bundled authentication framework, django.contrib.auth, offers views which allow users to reset a forgotten password. The reset mechanism involves generating a one-time token composed from the user's ID, the timestamp of the reset request converted to a base36 integer, and a hash derived from the user's current password hash (which will change once the reset is complete, thus invalidating the token).

Solution

Update the affected packages.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=665373

http://www.nessus.org/u?2d645320

Plugin Details

Severity: Medium

ID: 51393

File Name: freebsd_pkg_14a37474138311e08a5800215c6a37bb.nasl

Version: 1.11

Type: local

Published: 12/30/2010

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py23-django, p-cpe:/a:freebsd:freebsd:py23-django-devel, p-cpe:/a:freebsd:freebsd:py24-django, p-cpe:/a:freebsd:freebsd:py24-django-devel, p-cpe:/a:freebsd:freebsd:py25-django, p-cpe:/a:freebsd:freebsd:py25-django-devel, p-cpe:/a:freebsd:freebsd:py26-django, p-cpe:/a:freebsd:freebsd:py26-django-devel, p-cpe:/a:freebsd:freebsd:py27-django, p-cpe:/a:freebsd:freebsd:py27-django-devel, p-cpe:/a:freebsd:freebsd:py30-django, p-cpe:/a:freebsd:freebsd:py30-django-devel, p-cpe:/a:freebsd:freebsd:py31-django, p-cpe:/a:freebsd:freebsd:py31-django-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 12/29/2010

Vulnerability Publication Date: 12/22/2010

Reference Information

CVE: CVE-2010-4534, CVE-2010-4535

BID: 45562, 45563

Secunia: 42715