Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-2529-1 python-django -- several vulnerabilities

Related Vulnerabilities: CVE-2012-3442   CVE-2012-3443   CVE-2012-3444  

Jeroen Dekkers and others reported several vulnerabilities in Django, a Python Web framework. The Common Vulnerabilities and Exposures project defines the following issues: CVE-2012-3442 Two functions do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. CVE-2012-3443 The ImageField class completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. CVE-2012-3444 The get_image_dimensions function in the image-handling functionality uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. For the stable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze3. For the unstable distribution (sid), this problem has been fixed in version 1.4.1-1. We recommend that you upgrade your python-django packages.

Source

Debian Security Advisory

DSA-2529-1 python-django -- several vulnerabilities

Date Reported:
14 Aug 2012
Affected Packages:
python-django
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 683364.
In Mitre's CVE dictionary: CVE-2012-3442, CVE-2012-3443, CVE-2012-3444.
More information:

Jeroen Dekkers and others reported several vulnerabilities in Django, a Python Web framework. The Common Vulnerabilities and Exposures project defines the following issues:

  • CVE-2012-3442

    Two functions do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

  • CVE-2012-3443

    The ImageField class completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

  • CVE-2012-3444

    The get_image_dimensions function in the image-handling functionality uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

For the stable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze3.

For the unstable distribution (sid), this problem has been fixed in version 1.4.1-1.

We recommend that you upgrade your python-django packages.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started