MDVSA-2012:143 -- Mandriva python-djangoID: oval:org.secpod.oval:def:302956 | Date: (C)2012-11-02 (M)2021-06-02 |
Class: PATCH | Family: unix |
Multiple vulnerabilities has been discovered and corrected in python-django: The django.http.HttpResponseRedirect and django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting attacks via a data: URL . The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service by uploading an image file . The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service via a large TIFF image . The updated packages have been upgraded to the 1.3.3 version which is not vulnerable to these issues.
Platform: |
Mandriva Linux 2011.0 |