Date: Sun, 6 Jan 2013 18:14:24 +0000 (UTC) From: Li-Wen Hsu <lwhsu@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r310004 - head/security/vuxml Message-ID: <201301061814.r06IEOCt027075@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: lwhsu Date: Sun Jan 6 18:14:23 2013 New Revision: 310004 URL: http://svnweb.freebsd.org/changeset/ports/310004 Log: Document Django 2012-12-10 vulnerabilty Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Jan 6 17:42:35 2013 (r310003) +++ head/security/vuxml/vuln.xml Sun Jan 6 18:14:23 2013 (r310004) @@ -51,6 +51,80 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e"> + <topic>django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>django</name> + <range><lt>1.4.3</lt></range> + </package> + <package> + <name>django13</name> + <range><lt>1.3.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Django Project reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">; + <ol> + <li> + <p>Host header poisoning</p> + <p>Several earlier Django security releases focused on the issue of + poisoning the HTTP Host header, causing Django to generate URLs + pointing to arbitrary, potentially-malicious domains.</p> + <p>In response to further input received and reports of continuing + issues following the previous release, we're taking additional + steps to tighten Host header validation. Rather than attempt to + accommodate all features HTTP supports here, Django's Host header + validation attempts to support a smaller, but far more common, subset:</p> + <ul> + <li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen + ('-') or dot ('.').</li> + <li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li> + <li>Port, if specified, is numeric.</li> + </ul> + <p>Any deviation from this will now be rejected, raising the exception + django.core.exceptions.SuspiciousOperation.</p> + </li> + <li> + <p>Redirect poisoning</p> + <p>Also following up on a previous issue: in July of this year, we made + changes to Django's HTTP redirect classes, performing additional + validation of the scheme of the URL to redirect to (since, both + within Django's own supplied applications and many third-party + applications, accepting a user-supplied redirect target is a common + pattern).</p> + <p>Since then, two independent audits of the code turned up further + potential problems. So, similar to the Host-header issue, we are + taking steps to provide tighter validation in response to reported + problems (primarily with third-party applications, but to a certain + extent also within Django itself). This comes in two parts:</p> + <ol> + <li>A new utility function, django.utils.http.is_safe_url, is + added; this function takes a URL and a hostname, and checks + that the URL is either relative, or if absolute matches the + supplied hostname. This function is intended for use whenever + user-supplied redirect targets are accepted, to ensure that + such redirects cannot lead to arbitrary third-party sites.</li> + <li>All of Django's own built-in views -- primarily in the + authentication system -- which allow user-supplied redirect + targets now use is_safe_url to validate the supplied URL.</li> + </ol> + </li> + </ol> + </blockquote> + </body> + </description> + <references> + <url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url>; + </references> + <dates> + <discovery>2012-12-10</discovery> + <entry>2013-01-06</entry> + </dates> + </vuln> + <vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40"> <topic>freetype -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301061814.r06IEOCt027075>