Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : python-django vulnerabilities (USN-2347-1)
Medium Nessus Plugin ID 77725
SynopsisThe remote Ubuntu host is missing a security-related patch.
DescriptionFlorian Apolloner discovered that Django incorrectly validated URLs. A remote attacker could use this issue to conduct phishing attacks.
David Wilson discovered that Django incorrectly handled file name generation. A remote attacker could use this issue to cause Django to consume resources, resulting in a denial of service. (CVE-2014-0481)
David Greisen discovered that Django incorrectly handled certain headers in contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user could use this issue to hijack web sessions.
Collin Anderson discovered that Django incorrectly checked if a field represented a relationship between models in the administrative interface. A remote authenticated user could use this issue to possibly obtain sensitive information. (CVE-2014-0483).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected python-django package.