Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2013-0284)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2013.0284

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2013-0284)

Resumen: The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.

Descripción: Summary:
The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.

Vulnerability Insight:
Updated python-django package fixes security vulnerabilities:

Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi'
template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to
represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a
directory traversal attack, by specifying a file path which begins as the
absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative
paths to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked must have
one or more templates making use of the 'ssi' tag, and must allow some form of
unsanitized user input to be used as an argument to the 'ssi' tag
(CVE-2013-4315).

Django before 1.4.8 allows for denial-of-service attacks through repeated
submission of large passwords, tying up server resources in the expensive
computation of the corresponding hashes (CVE-2013-1443).

Affected Software/OS:
'python-django' package(s) on Mageia 3.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2013-1443
Debian Security Information: DSA-2758 (Google Search)
http://www.debian.org/security/2013/dsa-2758
http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html
SuSE Security Announcement: openSUSE-SU-2013:1541 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html
SuSE Security Announcement: openSUSE-SU-2013:1685 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-4315
Debian Security Information: DSA-2755 (Google Search)
http://www.debian.org/security/2013/dsa-2755
RedHat Security Advisories: RHSA-2013:1521
http://rhn.redhat.com/errata/RHSA-2013-1521.html
http://secunia.com/advisories/54772
http://secunia.com/advisories/54828

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2013.0284
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2013-0284)
Resumen:	The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory.
Descripción:	Summary: The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2013-0284 advisory. Vulnerability Insight: Updated python-django package fixes security vulnerabilities: Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag (CVE-2013-4315). Django before 1.4.8 allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes (CVE-2013-1443). Affected Software/OS: 'python-django' package(s) on Mageia 3. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2013-1443 Debian Security Information: DSA-2758 (Google Search) http://www.debian.org/security/2013/dsa-2758 http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html SuSE Security Announcement: openSUSE-SU-2013:1541 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html SuSE Security Announcement: openSUSE-SU-2013:1685 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html Common Vulnerability Exposure (CVE) ID: CVE-2013-4315 Debian Security Information: DSA-2755 (Google Search) http://www.debian.org/security/2013/dsa-2755 RedHat Security Advisories: RHSA-2013:1521 http://rhn.redhat.com/errata/RHSA-2013-1521.html http://secunia.com/advisories/54772 http://secunia.com/advisories/54828
Copyright	Copyright (C) 2022 Greenbone AG