CVE-2015-0222

Related Files

Mandriva Linux Security Advisory 2015-109

Posted Mar 30, 2015

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-109 - Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments. Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack. Alex Gaynor discovered that Django incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service. Keryn Knight discovered that Django incorrectly handled forms with ModelMultipleChoiceField. A remote attacker could possibly use this issue to cause a large number of SQL queries, resulting in a database denial of service. Note that this issue only affected python-django. Cross-site scripting vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a \@property.

tags | advisory, remote, web, denial of service, arbitrary, spoof, xss, python

systems | linux, mandriva

advisories | CVE-2015-0219, CVE-2015-0220, CVE-2015-0221, CVE-2015-0222, CVE-2015-2241

SHA-256 | 73ed54e1b87bdc65f660a901fe9524ca68b38f6616915656e7bcdd6f60701f1c

Download | Favorite | View

Ubuntu Security Notice USN-2469-2

Posted Feb 4, 2015

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2469-2 - USN-2469-1 fixed vulnerabilities in Django. The security fix for CVE-2015-0221 introduced a regression on Ubuntu 10.04 LTS and Ubuntu 12.04 LTS when serving static content through GZipMiddleware. This update fixes the problem. Various other issues were also addressed.

tags | advisory, vulnerability

systems | linux, ubuntu

advisories | CVE-2015-0219, CVE-2015-0220, CVE-2015-0221, CVE-2015-0222

SHA-256 | 5dc4cf9fd9fb7b32640fdad08d1ed4b56744197013e1ee313e726c46e7b1c6b6

Download | Favorite | View

Ubuntu Security Notice USN-2469-1

Posted Jan 14, 2015

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2469-1 - Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments. Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack. Alex Gaynor discovered that Django incorrectly handled reading files in django.views.static.serve(). A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service. Various other issues were also addressed.

tags | advisory, remote, denial of service, spoof, xss

systems | linux, ubuntu

advisories | CVE-2015-0219, CVE-2015-0220, CVE-2015-0221, CVE-2015-0222

SHA-256 | cf000da88b9863ec2a0ae7af5936ce03f27fabeb8b4e2e9c8f5f08774d6d8b01

Download | Favorite | View