DSA-1640 python-django -- several vulnerabilitiesID: oval:org.mitre.oval:def:8091 | Date: (C)2009-12-15 (M)2021-09-12 |
Class: PATCH | Family: unix |
Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. This is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909. In this update the affected feature is disabled; this is in accordance with upstream"s preferred solution for this situation. This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisation framework, known as CVE-2007-5712.