Test ID:	1.3.6.1.4.1.25623.1.0.69056
Category:	Mandrake Local Security Checks
Title:	Mandriva Security Advisory MDVSA-2011:031 (python-django)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to python-django announced via advisory MDVSA-2011:031. Multiple vulnerabilities has been found and corrected in python-django: Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a combination of browser plugins and redirects, a related issue to CVE-2011-0447 (CVE-2011-0696). Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload (CVE-2011-0697). Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays (CVE-2011-0698). The updated packages have been upgraded to the 1.1.4 version which is not vulnerable to these issues. Affected: 2010.0, 2010.1 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2011:031 Risk factor : High CVSS Score: 7.5
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2011-0447 BugTraq ID: 46291 http://www.securityfocus.com/bid/46291 Debian Security Information: DSA-2247 (Google Search) http://www.debian.org/security/2011/dsa-2247 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain http://www.securitytracker.com/id?1025060 http://secunia.com/advisories/43274 http://secunia.com/advisories/43666 http://www.vupen.com/english/advisories/2011/0587 http://www.vupen.com/english/advisories/2011/0877 Common Vulnerability Exposure (CVE) ID: CVE-2011-0696 43230 http://secunia.com/advisories/43230 43297 http://secunia.com/advisories/43297 43382 http://secunia.com/advisories/43382 43426 http://secunia.com/advisories/43426 46296 http://www.securityfocus.com/bid/46296 ADV-2011-0372 http://www.vupen.com/english/advisories/2011/0372 ADV-2011-0388 http://www.vupen.com/english/advisories/2011/0388 ADV-2011-0429 http://www.vupen.com/english/advisories/2011/0429 ADV-2011-0439 http://www.vupen.com/english/advisories/2011/0439 ADV-2011-0441 http://www.vupen.com/english/advisories/2011/0441 DSA-2163 http://www.debian.org/security/2011/dsa-2163 FEDORA-2011-1235 http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054208.html FEDORA-2011-1261 http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html MDVSA-2011:031 http://www.mandriva.com/security/advisories?name=MDVSA-2011:031 USN-1066-1 http://www.ubuntu.com/usn/USN-1066-1 [oss-security] 20110209 Django multiple flaws (CVEs inside) http://openwall.com/lists/oss-security/2011/02/09/6 http://www.djangoproject.com/weblog/2011/feb/08/security/ https://bugzilla.redhat.com/show_bug.cgi?id=676357 Common Vulnerability Exposure (CVE) ID: CVE-2011-0697 https://bugzilla.redhat.com/show_bug.cgi?id=676359 Common Vulnerability Exposure (CVE) ID: CVE-2011-0698 BugTraq ID: 46296
Copyright	Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.