diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2013-09-19 14:57:01 +0800 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2013-09-19 14:57:01 +0800 |
| commit | 9d3e60aa3e97642d20317d6732f374ed91e7a90b (patch) | |
| tree | 2c8912e6929f22baf4e8dc3f0d097cfe11683653 | |
| parent | 8e134c27c932069076d87b551e8fe710a1e1572e (diff) | |
Reworked security issue list to be per-issue, not per-release.
| -rw-r--r-- | docs/releases/security.txt | 529 |
1 files changed, 226 insertions, 303 deletions
diff --git a/docs/releases/security.txt b/docs/releases/security.txt index 635e51efe8..474eeee26d 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -41,46 +41,29 @@ security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned. -August 16, 2006 ---------------- +August 16, 2006 - CVE-2007-0404 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__ - * Filename validation issue in translation framework: `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_ +Versions affected +----------------- -* **Versions affected:** +* Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__ - * Django 0.90 +* Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__ - * Django 0.91 +* Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007) -* `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__ +January 21, 2007 - CVE-2007-0405 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* Patch: `unified 0.90/0.91 <https://github.com/django/django/commit/518d406e53>`__ - - -January 21, 2007 ----------------- - -* **Issues:** - - * Patch `CVE-2007-0404`_ for Django 0.95 - - * Apparent "caching" of authenticated user: `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_ - -* **Versions affected:** - - * Django 0.95 - -* `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__ - -* **Patches:** - - * `2006-08-26 issue <https://github.com/django/django/commit/a132d411c6>`__ - - * `User caching issue <https://github.com/django/django/commit/e89f0a6558>`__ +`CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__ +Versions affected +----------------- +* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__ Issues under Django's security process ====================================== @@ -88,440 +71,380 @@ Issues under Django's security process All other security issues have been handled under versions of Django's security process. These are listed below. +October 26, 2007 - CVE-2007-5712 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -October 26, 2007 ----------------- - -* **Issues:** - - * Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_ - -* **Versions affected:** - - * Django 0.91 - - * Django 0.95 - - * Django 0.96 - -* `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__ - -* **Patches:** - - * `0.91 <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__ - - * `0.95 <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__ - - * `0.96 <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__ - - -May 14, 2008 ------------- - -* **Issues:** - - * XSS via admin login redirect: `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_ - -* **Versions affected:** - - * Django 0.91 - - * Django 0.95 - - * Django 0.96 - -* `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__ - -* **Patches:** - - * `0.91 <https://github.com/django/django/commit/50ce7fb57d>`__ - - * `0.95 <https://github.com/django/django/commit/50ce7fb57d>`__ - - * `0.96 <https://github.com/django/django/commit/7791e5c050>`__ - - -September 2, 2008 -================= - -* **Issues:** - - * CSRF via preservation of POST data during admin login: `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_ - -* Versions affected - - * Django 0.91 - - * Django 0.95 - - * Django 0.96 - -* `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__ - -* **Patches:** - - * `0.91 <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__ - - * `0.95 <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__ - - * `0.96 <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__ - - -July 28, 2009 -============= - -* **Issues:** - - * Directory-traversal in development server media handler: `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_ - -* **Versions affected:** - - * Django 0.96 - - * Django 1.0 - -* `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__ - -* **Patches:** - - * `0.96 <https://github.com/django/django/commit/da85d76fd6>`__ - - * `1.0 <https://github.com/django/django/commit/df7f917b7f>`__ - - -October 9, 2009 -=============== - -* **Issues:** - - * Denial-of-service via pathological regular expression performance: `CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_ - -* **Versions affected:** - - * Django 1.0 +`CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__ - * Django 1.1 +Versions affected +----------------- -* `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__ +* Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__ -* **Patches:** +* Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__ - * `1.0 <https://github.com/django/django/commit/594a28a904>`__ +* Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__ - * `1.1 <https://github.com/django/django/commit/e3e992e18b>`__ +May 14, 2008 - CVE-2008-2302 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -September 8, 2010 -================= +`CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__ -* **Issues:** +Versions affected +----------------- - * XSS via trusting unsafe cookie value: `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_ +* Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__ -* **Versions affected:** +* Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__ - * Django 1.2 +* Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__ -* `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__ -* **Patches:** +September 2, 2008 - CVE-2008-3909 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.2 <https://github.com/django/django/commit/7f84657b6b>`__ +`CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__ +Versions affected +----------------- -December 22, 2010 -================= +* Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__ -* **Issues:** +* Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__ - * Information leakage in administrative interface: `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_ +* Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__ - * Denial-of-service in password-reset mechanism: `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_ +July 28, 2009 - CVE-2009-2659 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Versions affected:** +`CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__ - * Django 1.1 +Versions affected +----------------- - * Django 1.2 +* Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__ -* `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ +* Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__ -* **Patches:** +October 9, 2009 - CVE-2009-3965 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.1 CVE-2010-4534 <https://github.com/django/django/commit/17084839fd>`__ +`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__ - * `1.1 CVE-2010-4535 <https://github.com/django/django/commit/7f8dd9cbac>`__ +Versions affected +----------------- - * `1.2 CVE-2010-4534 <https://github.com/django/django/commit/85207a245b>`__ +* Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__ - * `1.2 CVE-2010-4535 <https://github.com/django/django/commit/d5d8942a16>`__ +* Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__ +September 8, 2010 - CVE-2010-3082 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -February 8, 2011 -================ +`CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__ -* **Issues:** +Versions affected +----------------- - * CSRF via forged HTTP headers: `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_ +* Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__ - * XSS via unsanitized names of uploaded files: `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_ - * Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_ +December 22, 2010 - CVE-2010-4534 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Versions affected:** +`CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ - * Django 1.1 +Versions affected +----------------- - * Django 1.2 +* Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__ -* `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ +* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__ -* **Patches:** +December 22, 2010 - CVE-2010-4535 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.1 CVE-2010-0696 <https://github.com/django/django/commit/408c5c873c>`__ +`CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ - * `1.1 CVE-2010-0697 <https://github.com/django/django/commit/1966786d2d>`__ +Versions affected +----------------- - * `1.1 CVE-2010-0698 <https://github.com/django/django/commit/570a32a047>`__ +* Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__ - * `1.2 CVE-2010-0696 <https://github.com/django/django/commit/818e70344e>`__ +* Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__ - * `1.2 CVE-2010-0697 <https://github.com/django/django/commit/1f814a9547>`__ - * `1.2 CVE-2010-0698 <https://github.com/django/django/commit/194566480b>`__ +February 8, 2011 - CVE-2011-0696 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ -September 9, 2011 -================= +Versions affected +----------------- -* **Issues:** +* Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__ - * Session manipulation when using memory-cache-backed session: `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_ +* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__ - * Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_ - * Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_ +February 8, 2011 - CVE-2011-0697 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * ``Host`` header cache poisoning: `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_ +`CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ -* Advisories: +Versions affected +----------------- - * Potential CSRF via ``Host`` header: `CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_ +* Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__ -* **Versions affected:** +* Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__ - * Django 1.2 +February 8, 2011 - CVE-2011-0698 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.3 +`CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ -* `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ +Versions affected +----------------- -* **Patches:** +* Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__ - * `1.2 CVE-2011-4136 <https://github.com/django/django/commit/ac7c3a110f>`__ +* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__ - * `1.2 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/7268f8af86>`__ - * `1.2 CVE-2011-4139 <https://github.com/django/django/commit/c613af4d64>`__ +September 9, 2011 - CVE-2011-4136 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.3 CVE-2011-4136 <https://github.com/django/django/commit/fbe2eead2f>`__ +`CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ - * `1.3 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/1a76dbefdf>`__ +Versions affected +----------------- - * `1.3 CVE-2011-4139 <https://github.com/django/django/commit/2f7fadc38e>`__ +* Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__ +* Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__ -July 30, 2012 -============= +September 9, 2011 - CVE-2011-4137 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ - * XSS via failure to validate redirect scheme: `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_ +Versions affected +----------------- - * Denial-of-service via compressed image files: `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_ +* Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__ - * Denial-of-service via large image viles: `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_ +* Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__ -* **Versions affected:** +September 9, 2011 - CVE-2011-4138 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.3 +`CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ - * Django 1.4 +Versions affected +----------------- -* `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ +* Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__ -* **Patches:** +* Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__ - * `1.3 CVE-2012-3442 <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__ +September 9, 2011 - CVE-2011-4139 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.3 CVE-2012-3443 <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__ +`CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ - * `1.3 CVE-2012-3444 <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__ +Versions affected +----------------- - * `1.4 CVE-2012-3442 <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__ +* Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__ - * `1.4 CVE-2012-3443 <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__ +* Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__ - * `1.4 CVE-2012-3444 <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__ +September 9, 2011 - CVE-2011-4140 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ -October 17, 2012 -================ +Versions affected +----------------- -* **Issues:** +This notification was an advisory only, so no patches were issued. - * ``Host`` header poisoning: `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_ +* Django 1.2 -* **Versions affected:** +* Django 1.3 - * Django 1.3 - * Django 1.4 +July 30, 2012 - CVE-2012-3442 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__ +`CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ -* **Patches:** +Versions affected +----------------- - * `1.3 <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__ +* Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__ - * `1.4 <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__ +* Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__ -December 10, 2012 -================= +July 30, 2012 - CVE-2012-3443 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ - * Additional hardening of ``Host`` header handling (no CVE issued) +Versions affected +----------------- - * Additional hardening of redirect validation (no CVE issued) +* Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__ -* **Versions affected:** +* Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__ - * Django 1.3 - * Django 1.4 +July 30, 2012 - CVE-2012-3444 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ +`CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ -* **Patches:** +Versions affected +----------------- - * `1.3 Host hardening <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__ +* Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__ - * `1.3 redirect hardening <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__ +* Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__ - * `1.4 Host hardening <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__ - * `1.4 redirect hardning <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__ +October 17, 2012 - CVE-2012-4520 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__ -February 19, 2013 -================= +Versions affected +----------------- -* **Issues:** +* Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__ - * Additional hardening of ``Host`` header handling (no CVE issued) +* Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__ - * Entity-based attacks against Python XML libraries: `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_ - * Information leakage via admin history log: `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_ +December 10, 2012 - No CVE 1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_ +Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.3 +* Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__ - * Django 1.4 +* Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__ -* `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ -* **Patches:** +December 10, 2012 - No CVE 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.3 Host hardening <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__ +Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ - * `1.3 XML attacks <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__ +Versions affected +----------------- - * `1.3 CVE-2013-0305 <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__ + * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__ - * `1.3 CVE-2013-0306 <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__ + * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__ - * `1.4 Host hardening <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__ +February 19, 2013 - No CVE +~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.4 XML attacks <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__ +Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ - * `1.4 CVE-2013-0305 <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__ +Versions affected +----------------- - * `1.4 CVE-2013-0306 <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__ +* Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__ +* Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__ -August 13, 2013 -=============== +February 19, 2013 - CVE-2013-1664/1665 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ - * XSS via admin trusting ``URLField`` values (CVE not yet issued) +Versions affected +----------------- - * Possible XSS via unvalidated URL redirect schemes (CVE not yet issued) +* Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__ -* **Versions affected:** +* Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__ - * Django 1.4 (redirect scheme issue only) +February 19, 2013 - CVE-2013-0305 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.5 +`CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ -* `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__ +Versions affected +----------------- -* **Patches:** +* Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__ - * `1.4 redirect validation <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__ +* Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__ - * `1.5 URLField trusting <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__ - * `1.5 redirect validation <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__ +February 19, 2013 - CVE-2013-0306 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ -September 10, 2013 -================== +Versions affected +----------------- -* **Issues:** +* Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__ - * Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ +* Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__ -* **Versions affected:** +August 13, 2013 - Awaiting CVE 1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.4 +(CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__ - * Django 1.5 +Versions affected +----------------- -* `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__ +* Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__ -* **Patches:** +August 13, 2013 - Awaiting CVE 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.4 CVE-2013-4315 <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__ +(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__ - * `1.5 CVE-2013-4315 <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__ +Versions affected +----------------- +* Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__ -September 14, 2013 -================== +* Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__ -* **Issues:** +September 10, 2013 - CVE-2013-4315 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Denial-of-service via large passwords: CVE-2013-1443 +`CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.4 +* Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__ - * Django 1.5 +* Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__ -* `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__ -* **Patches:** +September 14, 2013 - CVE-2013-1443 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.4 CVE-2013-1443 <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__ +CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__ - * `1.5 CVE-2013-1443 <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__ +Versions affected +----------------- +* Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__ +* Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__ |
