p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Reworked security issue list to be per-issue, not per-release.

This commit is contained in:
Russell Keith-Magee 2013-09-19 14:57:01 +08:00
parent 8e134c27c9
commit 9d3e60aa3e
1 changed files with 226 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

529
docs/releases/security.txt
View File

@ -41,46 +41,29 @@ security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned. issued at the time and CVEs may not have been assigned.
August 16, 2006 August 16, 2006 - CVE-2007-0404
--------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
* Filename validation issue in translation framework: `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.90 * Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.91 * Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
* `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__ January 21, 2007 - CVE-2007-0405
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Patch: `unified 0.90/0.91 <https://github.com/django/django/commit/518d406e53>`__ `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
January 21, 2007
----------------
* **Issues:**
* Patch `CVE-2007-0404`_ for Django 0.95
* Apparent "caching" of authenticated user: `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_
* **Versions affected:**
* Django 0.95
* `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
* **Patches:**
* `2006-08-26 issue <https://github.com/django/django/commit/a132d411c6>`__
* `User caching issue <https://github.com/django/django/commit/e89f0a6558>`__
Versions affected
-----------------
* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
Issues under Django's security process Issues under Django's security process
====================================== ======================================
@ -88,440 +71,380 @@ Issues under Django's security process
All other security issues have been handled under versions of Django's All other security issues have been handled under versions of Django's
security process. These are listed below. security process. These are listed below.
October 26, 2007 - CVE-2007-5712
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
October 26, 2007 `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
----------------
* **Issues:** Versions affected
-----------------
* Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_ * Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
* **Versions affected:** * Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
* Django 0.91 * Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
* Django 0.95
* Django 0.96 May 14, 2008 - CVE-2008-2302
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__ `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
* **Patches:** Versions affected
-----------------
* `0.91 <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__ * Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* `0.95 <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* `0.96 <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
May 14, 2008 September 2, 2008 - CVE-2008-3909
------------ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
* XSS via admin login redirect: `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
* Django 0.91 * Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
* Django 0.95 * Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
* Django 0.96 July 28, 2009 - CVE-2009-2659
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__ `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
* **Patches:** Versions affected
-----------------
* `0.91 <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
* `0.95 <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
* `0.96 <https://github.com/django/django/commit/7791e5c050>`__ October 9, 2009 - CVE-2009-3965
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
September 2, 2008 Versions affected
================= -----------------
* **Issues:** * Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
* CSRF via preservation of POST data during admin login: `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_ * Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
* Versions affected September 8, 2010 - CVE-2010-3082
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 0.91 `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
* Django 0.95 Versions affected
-----------------
* Django 0.96 * Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
* `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
* **Patches:** December 22, 2010 - CVE-2010-4534
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `0.91 <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__ `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
* `0.95 <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__ Versions affected
-----------------
* `0.96 <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
July 28, 2009 December 22, 2010 - CVE-2010-4535
============= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
* Directory-traversal in development server media handler: `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_ Versions affected
-----------------
* **Versions affected:** * Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
* Django 0.96 * Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
* Django 1.0
* `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__ February 8, 2011 - CVE-2011-0696
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* `0.96 <https://github.com/django/django/commit/da85d76fd6>`__ Versions affected
-----------------
* `1.0 <https://github.com/django/django/commit/df7f917b7f>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
October 9, 2009
===============
* **Issues:** February 8, 2011 - CVE-2011-0697
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Denial-of-service via pathological regular expression performance: `CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_ `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.0 * Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
* Django 1.1 * Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
* `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__ February 8, 2011 - CVE-2011-0698
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
* `1.0 <https://github.com/django/django/commit/594a28a904>`__ Versions affected
-----------------
* `1.1 <https://github.com/django/django/commit/e3e992e18b>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
September 8, 2010
=================
* **Issues:** September 9, 2011 - CVE-2011-4136
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* XSS via trusting unsafe cookie value: `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_ `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.2 * Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
* `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
* **Patches:** September 9, 2011 - CVE-2011-4137
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.2 <https://github.com/django/django/commit/7f84657b6b>`__ `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
December 22, 2010 * Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
=================
* **Issues:** * Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
* Information leakage in administrative interface: `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_ September 9, 2011 - CVE-2011-4138
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Denial-of-service in password-reset mechanism: `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_ `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.1 * Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.2 * Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
* `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ September 9, 2011 - CVE-2011-4139
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* `1.1 CVE-2010-4534 <https://github.com/django/django/commit/17084839fd>`__ Versions affected
-----------------
* `1.1 CVE-2010-4535 <https://github.com/django/django/commit/7f8dd9cbac>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
* `1.2 CVE-2010-4534 <https://github.com/django/django/commit/85207a245b>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
* `1.2 CVE-2010-4535 <https://github.com/django/django/commit/d5d8942a16>`__ September 9, 2011 - CVE-2011-4140
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
February 8, 2011 Versions affected
================ -----------------
* **Issues:** This notification was an advisory only, so no patches were issued.
* CSRF via forged HTTP headers: `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_ * Django 1.2
* XSS via unsanitized names of uploaded files: `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_ * Django 1.3
* Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_
* **Versions affected:** July 30, 2012 - CVE-2012-3442
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 1.1 `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
* Django 1.2 Versions affected
-----------------
* `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ * Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__
* **Patches:** * Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__
* `1.1 CVE-2010-0696 <https://github.com/django/django/commit/408c5c873c>`__
* `1.1 CVE-2010-0697 <https://github.com/django/django/commit/1966786d2d>`__ July 30, 2012 - CVE-2012-3443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.1 CVE-2010-0698 <https://github.com/django/django/commit/570a32a047>`__ `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
* `1.2 CVE-2010-0696 <https://github.com/django/django/commit/818e70344e>`__ Versions affected
-----------------
* `1.2 CVE-2010-0697 <https://github.com/django/django/commit/1f814a9547>`__ * Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__
* `1.2 CVE-2010-0698 <https://github.com/django/django/commit/194566480b>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__
September 9, 2011 July 30, 2012 - CVE-2012-3444
================= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
* Session manipulation when using memory-cache-backed session: `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_ Versions affected
-----------------
* Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_ * Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__
* Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_ * Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
* ``Host`` header cache poisoning: `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_
* Advisories: October 17, 2012 - CVE-2012-4520
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Potential CSRF via ``Host`` header: `CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_ `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.2 * Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__
* Django 1.3 * Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__
* `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
* **Patches:** December 10, 2012 - No CVE 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.2 CVE-2011-4136 <https://github.com/django/django/commit/ac7c3a110f>`__ Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
* `1.2 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/7268f8af86>`__ Versions affected
-----------------
* `1.2 CVE-2011-4139 <https://github.com/django/django/commit/c613af4d64>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__
* `1.3 CVE-2011-4136 <https://github.com/django/django/commit/fbe2eead2f>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__
* `1.3 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/1a76dbefdf>`__
* `1.3 CVE-2011-4139 <https://github.com/django/django/commit/2f7fadc38e>`__ December 10, 2012 - No CVE 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
July 30, 2012 Versions affected
============= -----------------
* **Issues:** * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
* XSS via failure to validate redirect scheme: `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_ * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__
* Denial-of-service via compressed image files: `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_ February 19, 2013 - No CVE
~~~~~~~~~~~~~~~~~~~~~~~~~~
* Denial-of-service via large image viles: `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_ Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* **Versions affected:** Versions affected
-----------------
* Django 1.3 * Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
* Django 1.4 * Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
* `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ February 19, 2013 - CVE-2013-1664/1665
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Patches:** `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* `1.3 CVE-2012-3442 <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__ Versions affected
-----------------
* `1.3 CVE-2012-3443 <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
* `1.3 CVE-2012-3444 <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
* `1.4 CVE-2012-3442 <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__ February 19, 2013 - CVE-2013-0305
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.4 CVE-2012-3443 <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__ `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* `1.4 CVE-2012-3444 <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__ Versions affected
-----------------
* Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
October 17, 2012 * Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
================
* **Issues:**
* ``Host`` header poisoning: `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_ February 19, 2013 - CVE-2013-0306
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Versions affected:** `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* Django 1.3 Versions affected
-----------------
* Django 1.4 * Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
* `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
* **Patches:** August 13, 2013 - Awaiting CVE 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.3 <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__ (CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* `1.4 <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__ Versions affected
-----------------
* Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
December 10, 2012 August 13, 2013 - Awaiting CVE 2
================= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* **Issues:** (CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* Additional hardening of ``Host`` header handling (no CVE issued) Versions affected
-----------------
* Additional hardening of redirect validation (no CVE issued) * Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
* **Versions affected:** * Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
* Django 1.3 September 10, 2013 - CVE-2013-4315
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Django 1.4 `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
* `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ Versions affected
-----------------
* **Patches:** * Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
* `1.3 Host hardening <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
* `1.3 redirect hardening <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
* `1.4 Host hardening <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__ September 14, 2013 - CVE-2013-1443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `1.4 redirect hardning <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__ CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
Versions affected
-----------------
February 19, 2013 * Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
=================
* **Issues:**
* Additional hardening of ``Host`` header handling (no CVE issued)
* Entity-based attacks against Python XML libraries: `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_
* Information leakage via admin history log: `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_
* Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_
* **Versions affected:**
* Django 1.3
* Django 1.4
* `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
* **Patches:**
* `1.3 Host hardening <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
* `1.3 XML attacks <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
* `1.3 CVE-2013-0305 <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
* `1.3 CVE-2013-0306 <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
* `1.4 Host hardening <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
* `1.4 XML attacks <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
* `1.4 CVE-2013-0305 <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
* `1.4 CVE-2013-0306 <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
August 13, 2013
===============
* **Issues:**
* XSS via admin trusting ``URLField`` values (CVE not yet issued)
* Possible XSS via unvalidated URL redirect schemes (CVE not yet issued)
* **Versions affected:**
* Django 1.4 (redirect scheme issue only)
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
* **Patches:**
* `1.4 redirect validation <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
* `1.5 URLField trusting <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
* `1.5 redirect validation <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
September 10, 2013
==================
* **Issues:**
* Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_
* **Versions affected:**
* Django 1.4
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
* **Patches:**
* `1.4 CVE-2013-4315 <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
* `1.5 CVE-2013-4315 <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
September 14, 2013
==================
* **Issues:**
* Denial-of-service via large passwords: CVE-2013-1443
* **Versions affected:**
* Django 1.4
* Django 1.5
* `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
* **Patches:**
* `1.4 CVE-2013-1443 <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
* `1.5 CVE-2013-1443 <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__