FreeBSD : django -- multiple vulnerabilities (14a37474-1383-11e0-8a58-00215c6a37bb)

Medium Nessus Plugin ID 51393


The remote FreeBSD host is missing one or more security-related updates.


Django project reports :

Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. Information leakage in Django administrative interface The Django administrative interface, django.contrib.admin supports filtering of displayed lists of objects by fields on the corresponding models, including across database-level relationships.
This is implemented by passing lookup arguments in the querystring portion of the URL, and options on the ModelAdmin class allow developers to specify particular fields or relationships which will generate automatic links for filtering. Denial-of-service attack in password-reset mechanism Django's bundled authentication framework, django.contrib.auth, offers views which allow users to reset a forgotten password. The reset mechanism involves generating a one-time token composed from the user's ID, the timestamp of the reset request converted to a base36 integer, and a hash derived from the user's current password hash (which will change once the reset is complete, thus invalidating the token).


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 51393

File Name: freebsd_pkg_14a37474138311e08a5800215c6a37bb.nasl

Version: $Revision: 1.8 $

Type: local

Published: 2010/12/30

Modified: 2016/05/09

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py23-django, p-cpe:/a:freebsd:freebsd:py23-django-devel, p-cpe:/a:freebsd:freebsd:py24-django, p-cpe:/a:freebsd:freebsd:py24-django-devel, p-cpe:/a:freebsd:freebsd:py25-django, p-cpe:/a:freebsd:freebsd:py25-django-devel, p-cpe:/a:freebsd:freebsd:py26-django, p-cpe:/a:freebsd:freebsd:py26-django-devel, p-cpe:/a:freebsd:freebsd:py27-django, p-cpe:/a:freebsd:freebsd:py27-django-devel, p-cpe:/a:freebsd:freebsd:py30-django, p-cpe:/a:freebsd:freebsd:py30-django-devel, p-cpe:/a:freebsd:freebsd:py31-django, p-cpe:/a:freebsd:freebsd:py31-django-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2010/12/29

Vulnerability Publication Date: 2010/12/22

Reference Information

CVE: CVE-2010-4534, CVE-2010-4535

BID: 45562, 45563

Secunia: 42715