Debian DSA-3151-1 : python-django - security update

medium Nessus Plugin ID 81131

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2015-0219 Jedediah Smith reported that the WSGI environ in Django does not distinguish between headers containing dashes and headers containing underscores. A remote attacker could use this flaw to spoof WSGI headers.

- CVE-2015-0220 Mikko Ohtamaa discovered that the django.util.http.is_safe_url() function in Django does not properly handle leading whitespaces in user-supplied redirect URLs. A remote attacker could potentially use this flaw to perform a cross-site scripting attack.

- CVE-2015-0221 Alex Gaynor reported a flaw in the way Django handles reading files in the django.views.static.serve() view. A remote attacker could possibly use this flaw to mount a denial of service via resource consumption.

Solution

Upgrade the python-django packages.

For the stable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u9.

For the upcoming stable distribution (jessie), these problems have been fixed in version 1.7.1-1.1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775375

https://security-tracker.debian.org/tracker/CVE-2015-0219

https://security-tracker.debian.org/tracker/CVE-2015-0220

https://security-tracker.debian.org/tracker/CVE-2015-0221

https://packages.debian.org/source/wheezy/python-django

https://www.debian.org/security/2015/dsa-3151

Plugin Details

Severity: Medium

ID: 81131

File Name: debian_DSA-3151.nasl

Version: 1.9

Type: local

Agent: unix

Published: 2/3/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:7.0, p-cpe:/a:debian:debian_linux:python-django

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/3/2015

Reference Information

CVE: CVE-2015-0219, CVE-2015-0220, CVE-2015-0221

BID: 72078, 72079, 72081

DSA: 3151