oss-sec mailing list archives
Re: CVE Request: Django
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Tue, 30 Oct 2012 00:18:05 +0100
On Tue, Oct 30, 2012 at 12:10:00AM +0100, Seth Arnold wrote:
Hello Kurt, Steve, all, Django recently released updates 1.3.4 and 1.4.2 to address a Host: header poisoning problem and incorrect HttpOnly cookie documentation (only wrong in 1.4.x). I believe only the header poisoning problem requires a CVE (the other problem is documentation; Django application authors may make a mistake in their code if they go by the faulty documentation), but I thought I should mention both in this CVE request email as the Django announcement mentioned both: https://www.djangoproject.com/weblog/2012/oct/17/security/ Commits: master: https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e 1.4 branch: https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3 1.3 branch: https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
This should be CVE-2012-4520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145 Cheers, Moritz
Current thread:
- CVE Request: Django Seth Arnold (Oct 29)
- Re: CVE Request: Django Moritz Mühlenhoff (Oct 29)
- Re: CVE Request: Django Kurt Seifried (Oct 29)
- Re: CVE Request: Django Moritz Mühlenhoff (Oct 29)