Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2013-0284)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2013.0284

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2013-0284)

Zusammenfassung: The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.

Vulnerability Insight:
Updated python-django package fixes security vulnerabilities:

Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).

Django before 1.4.8 allows for denial-of-service attacks through repeated
submission of large passwords, tying up server resources in the expensive
computation of the corresponding hashes (CVE-2013-1443).

Affected Software/OS:
'python-django' package(s) on Mageia 3.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2013-1443
Debian Security Information: DSA-2758 (Google Search)
http://www.debian.org/security/2013/dsa-2758
http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html
SuSE Security Announcement: openSUSE-SU-2013:1541 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html
SuSE Security Announcement: openSUSE-SU-2013:1685 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-4315
Debian Security Information: DSA-2755 (Google Search)
http://www.debian.org/security/2013/dsa-2755
RedHat Security Advisories: RHSA-2013:1521
http://rhn.redhat.com/errata/RHSA-2013-1521.html
http://secunia.com/advisories/54772
http://secunia.com/advisories/54828

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2013.0284
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2013-0284)
Zusammenfassung:	The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory. Vulnerability Insight: Updated python-django package fixes security vulnerabilities: Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag (CVE-2013-4315). Django before 1.4.8 allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes (CVE-2013-1443). Affected Software/OS: 'python-django' package(s) on Mageia 3. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2013-1443 Debian Security Information: DSA-2758 (Google Search) http://www.debian.org/security/2013/dsa-2758 http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html SuSE Security Announcement: openSUSE-SU-2013:1541 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html SuSE Security Announcement: openSUSE-SU-2013:1685 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html Common Vulnerability Exposure (CVE) ID: CVE-2013-4315 Debian Security Information: DSA-2755 (Google Search) http://www.debian.org/security/2013/dsa-2755 RedHat Security Advisories: RHSA-2013:1521 http://rhn.redhat.com/errata/RHSA-2013-1521.html http://secunia.com/advisories/54772 http://secunia.com/advisories/54828
Copyright	Copyright (C) 2022 Greenbone AG