Mandrake Local Security Checks : Mandriva Security Advisory MDVSA-2012:143 (python-django)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.72113

Categoría: Mandrake Local Security Checks

Título: Mandriva Security Advisory MDVSA-2012:143 (python-django)

Resumen: NOSUMMARY

Descripción: Description:
The remote host is missing an update to python-django
announced via advisory MDVSA-2012:143.

Multiple vulnerabilities has been discovered and corrected in
python-django:

The (1) django.http.HttpResponseRedirect and (2)
django.http.HttpResponsePermanentRedirect classes in Django before
1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect
target, which might allow remote attackers to conduct cross-site
scripting (XSS) attacks via a data: URL (CVE-2012-3442).

The django.forms.ImageField class in the form system in Django
before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image
data during image validation, which allows remote attackers to cause
a denial of service (memory consumption) by uploading an image file
(CVE-2012-3443).

The get_image_dimensions function in the image-handling functionality
in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk
size in all attempts to determine dimensions, which allows remote
attackers to cause a denial of service (process or thread consumption)
via a large TIFF image (CVE-2012-3444).

The updated packages have been upgraded to the 1.3.3 version which
is not vulnerable to these issues.

Affected: 2011., Enterprise Server 5.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2012:143

Risk factor : High

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-3442
DSA-2529
http://www.debian.org/security/2012/dsa-2529
MDVSA-2012:143
http://www.mandriva.com/security/advisories?name=MDVSA-2012:143
USN-1560-1
http://www.ubuntu.com/usn/USN-1560-1
[oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues
http://www.openwall.com/lists/oss-security/2012/07/31/1
[oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues
http://www.openwall.com/lists/oss-security/2012/07/31/2
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Common Vulnerability Exposure (CVE) ID: CVE-2012-3443
Common Vulnerability Exposure (CVE) ID: CVE-2012-3444

Copyright Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.72113
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Security Advisory MDVSA-2012:143 (python-django)
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing an update to python-django announced via advisory MDVSA-2012:143. Multiple vulnerabilities has been discovered and corrected in python-django: The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL (CVE-2012-3442). The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file (CVE-2012-3443). The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image (CVE-2012-3444). The updated packages have been upgraded to the 1.3.3 version which is not vulnerable to these issues. Affected: 2011., Enterprise Server 5.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2012:143 Risk factor : High
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3442 DSA-2529 http://www.debian.org/security/2012/dsa-2529 MDVSA-2012:143 http://www.mandriva.com/security/advisories?name=MDVSA-2012:143 USN-1560-1 http://www.ubuntu.com/usn/USN-1560-1 [oss-security] 20120730 CVE Request: Django 1.3.1 and 1.4.0 security issues http://www.openwall.com/lists/oss-security/2012/07/31/1 [oss-security] 20120730 Re: CVE Request: Django 1.3.1 and 1.4.0 security issues http://www.openwall.com/lists/oss-security/2012/07/31/2 https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ Common Vulnerability Exposure (CVE) ID: CVE-2012-3443 Common Vulnerability Exposure (CVE) ID: CVE-2012-3444
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com