p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Reworked security issue list to be per-issue, not per-release.

This commit is contained in:
Russell Keith-Magee 2013-09-19 14:57:01 +08:00
parent 8e134c27c9
commit 9d3e60aa3e
1 changed files with 226 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

525
docs/releases/security.txt
View File

@ -41,46 +41,29 @@ security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned. issued at the time and CVEs may not have been assigned.
August 16, 2006 August 16, 2006 - CVE-2007-0404
--------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
* Filename validation issue in translation framework: `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.90 * Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.91 * Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
* `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__ January 21, 2007 - CVE-2007-0405
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Patch: `unified 0.90/0.91 <https://github.com/django/django/commit/518d406e53>`__ `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
January 21, 2007
----------------
* **Issues:**
* Patch `CVE-2007-0404`_ for Django 0.95
* Apparent "caching" of authenticated user: `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_
* **Versions affected:**
* Django 0.95
* `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
* **Patches:**
* `2006-08-26 issue <https://github.com/django/django/commit/a132d411c6>`__
* `User caching issue <https://github.com/django/django/commit/e89f0a6558>`__
Versions affected
-----------------
* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
Issues under Django's security process Issues under Django's security process
====================================== ======================================
@ -88,440 +71,380 @@ Issues under Django's security process
All other security issues have been handled under versions of Django's All other security issues have been handled under versions of Django's
security process. These are listed below. security process. These are listed below.
October 26, 2007 - CVE-2007-5712
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
October 26, 2007 `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
----------------
* **Issues:** Versions affected
-----------------
* Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_ * Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
* **Versions affected:** * Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
* Django 0.91 * Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
* Django 0.95
* Django 0.96 May 14, 2008 - CVE-2008-2302
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__ `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
* **Patches:** Versions affected
-----------------
* `0.91 <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__ * Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* `0.95 <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* `0.96 <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
May 14, 2008 September 2, 2008 - CVE-2008-3909
------------ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
* XSS via admin login redirect: `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
* Django 0.91 * Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
* Django 0.95 * Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
* Django 0.96 July 28, 2009 - CVE-2009-2659
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__ `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
* **Patches:** Versions affected
-----------------
* `0.91 <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
* `0.95 <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
* `0.96 <https://github.com/django/django/commit/7791e5c050>`__ October 9, 2009 - CVE-2009-3965
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
September 2, 2008 Versions affected
================= -----------------
* **Issues:** * Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
* CSRF via preservation of POST data during admin login: `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_ * Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
* Versions affected September 8, 2010 - CVE-2010-3082
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 0.91 `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
* Django 0.95 Versions affected
-----------------
* Django 0.96 * Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
* `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
* **Patches:** December 22, 2010 - CVE-2010-4534
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `0.91 <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__ `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
* `0.95 <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__ Versions affected
-----------------
* `0.96 <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
July 28, 2009 December 22, 2010 - CVE-2010-4535
============= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
* Directory-traversal in development server media handler: `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
* Django 0.96 * Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
* Django 1.0
* `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__ February 8, 2011 - CVE-2011-0696
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* `0.96 <https://github.com/django/django/commit/da85d76fd6>`__ Versions affected
-----------------
* `1.0 <https://github.com/django/django/commit/df7f917b7f>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
October 9, 2009
===============
* **Issues:** February 8, 2011 - CVE-2011-0697
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Denial-of-service via pathological regular expression performance: `CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_ `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.0 * Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
* Django 1.1 * Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
* `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__ February 8, 2011 - CVE-2011-0698
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* `1.0 <https://github.com/django/django/commit/594a28a904>`__ Versions affected
-----------------
* `1.1 <https://github.com/django/django/commit/e3e992e18b>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
September 8, 2010
=================
* **Issues:** September 9, 2011 - CVE-2011-4136
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* XSS via trusting unsafe cookie value: `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_ `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.2 * Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
* `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
* **Patches:** September 9, 2011 - CVE-2011-4137
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.2 <https://github.com/django/django/commit/7f84657b6b>`__ `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
December 22, 2010 * Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
=================
* **Issues:** * Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
* Information leakage in administrative interface: `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_ September 9, 2011 - CVE-2011-4138
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Denial-of-service in password-reset mechanism: `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_ `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.1 * Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.2 * Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
* `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ September 9, 2011 - CVE-2011-4139
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* `1.1 CVE-2010-4534 <https://github.com/django/django/commit/17084839fd>`__ Versions affected
-----------------
* `1.1 CVE-2010-4535 <https://github.com/django/django/commit/7f8dd9cbac>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
* `1.2 CVE-2010-4534 <https://github.com/django/django/commit/85207a245b>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
* `1.2 CVE-2010-4535 <https://github.com/django/django/commit/d5d8942a16>`__ September 9, 2011 - CVE-2011-4140
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
February 8, 2011 Versions affected
================ -----------------
* **Issues:** This notification was an advisory only, so no patches were issued.
* CSRF via forged HTTP headers: `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_
* XSS via unsanitized names of uploaded files: `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_
* Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_
* **Versions affected:**
* Django 1.1
* Django 1.2
* `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* **Patches:**
* `1.1 CVE-2010-0696 <https://github.com/django/django/commit/408c5c873c>`__
* `1.1 CVE-2010-0697 <https://github.com/django/django/commit/1966786d2d>`__
* `1.1 CVE-2010-0698 <https://github.com/django/django/commit/570a32a047>`__
* `1.2 CVE-2010-0696 <https://github.com/django/django/commit/818e70344e>`__
* `1.2 CVE-2010-0697 <https://github.com/django/django/commit/1f814a9547>`__
* `1.2 CVE-2010-0698 <https://github.com/django/django/commit/194566480b>`__
September 9, 2011
=================
* **Issues:**
* Session manipulation when using memory-cache-backed session: `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_
* Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_
* Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_
* ``Host`` header cache poisoning: `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_
* Advisories:
* Potential CSRF via ``Host`` header: `CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_
* **Versions affected:**
* Django 1.2 * Django 1.2
* Django 1.3 * Django 1.3
* `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Patches:** July 30, 2012 - CVE-2012-3442
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.2 CVE-2011-4136 <https://github.com/django/django/commit/ac7c3a110f>`__ `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
* `1.2 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/7268f8af86>`__ Versions affected
-----------------
* `1.2 CVE-2011-4139 <https://github.com/django/django/commit/c613af4d64>`__ * Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__
* `1.3 CVE-2011-4136 <https://github.com/django/django/commit/fbe2eead2f>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__
* `1.3 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/1a76dbefdf>`__
* `1.3 CVE-2011-4139 <https://github.com/django/django/commit/2f7fadc38e>`__ July 30, 2012 - CVE-2012-3443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
July 30, 2012 Versions affected
============= -----------------
* **Issues:** * Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__
* XSS via failure to validate redirect scheme: `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_ * Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__
* Denial-of-service via compressed image files: `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_
* Denial-of-service via large image viles: `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_ July 30, 2012 - CVE-2012-3444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Versions affected:** `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
* Django 1.3 Versions affected
-----------------
* Django 1.4 * Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__
* `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
* **Patches:**
* `1.3 CVE-2012-3442 <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__ October 17, 2012 - CVE-2012-4520
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.3 CVE-2012-3443 <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__ `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
* `1.3 CVE-2012-3444 <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__ Versions affected
-----------------
* `1.4 CVE-2012-3442 <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__
* `1.4 CVE-2012-3443 <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__
* `1.4 CVE-2012-3444 <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
December 10, 2012 - No CVE 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
October 17, 2012 Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
================
* **Issues:** Versions affected
-----------------
* ``Host`` header poisoning: `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_ * Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__
* **Versions affected:** * Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__
* Django 1.3
* Django 1.4 December 10, 2012 - No CVE 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__ Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
* **Patches:** Versions affected
-----------------
* `1.3 <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__ * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
* `1.4 <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__
February 19, 2013 - No CVE
~~~~~~~~~~~~~~~~~~~~~~~~~~
December 10, 2012 Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
=================
* **Issues:** Versions affected
-----------------
* Additional hardening of ``Host`` header handling (no CVE issued) * Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
* Additional hardening of redirect validation (no CVE issued) * Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
* **Versions affected:** February 19, 2013 - CVE-2013-1664/1665
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 1.3 `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* Django 1.4 Versions affected
-----------------
* `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
* **Patches:** * Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
* `1.3 Host hardening <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__ February 19, 2013 - CVE-2013-0305
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.3 redirect hardening <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__ `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* `1.4 Host hardening <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__ Versions affected
-----------------
* `1.4 redirect hardning <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
February 19, 2013
=================
* **Issues:** February 19, 2013 - CVE-2013-0306
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Additional hardening of ``Host`` header handling (no CVE issued) `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* Entity-based attacks against Python XML libraries: `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_ Versions affected
-----------------
* Information leakage via admin history log: `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_ * Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
* Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_ * Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
* **Versions affected:** August 13, 2013 - Awaiting CVE 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 1.3 (CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* Django 1.4 Versions affected
-----------------
* `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
* **Patches:** August 13, 2013 - Awaiting CVE 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.3 Host hardening <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__ (CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* `1.3 XML attacks <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__ Versions affected
-----------------
* `1.3 CVE-2013-0305 <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
* `1.3 CVE-2013-0306 <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
* `1.4 Host hardening <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__ September 10, 2013 - CVE-2013-4315
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.4 XML attacks <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__ `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
* `1.4 CVE-2013-0305 <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__ Versions affected
-----------------
* `1.4 CVE-2013-0306 <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
August 13, 2013
===============
* **Issues:** September 14, 2013 - CVE-2013-1443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* XSS via admin trusting ``URLField`` values (CVE not yet issued) CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
* Possible XSS via unvalidated URL redirect schemes (CVE not yet issued) Versions affected
-----------------
* **Versions affected:**
* Django 1.4 (redirect scheme issue only)
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* **Patches:**
* `1.4 redirect validation <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
* `1.5 URLField trusting <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
* `1.5 redirect validation <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
September 10, 2013
==================
* **Issues:**
* Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_
* **Versions affected:**
* Django 1.4
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
* **Patches:**
* `1.4 CVE-2013-4315 <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
* `1.5 CVE-2013-4315 <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
September 14, 2013
==================
* **Issues:**
* Denial-of-service via large passwords: CVE-2013-1443
* **Versions affected:**
* Django 1.4
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
* **Patches:**
* `1.4 CVE-2013-1443 <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
* `1.5 CVE-2013-1443 <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__
* Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__