From 9d3e60aa3e97642d20317d6732f374ed91e7a90b Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Thu, 19 Sep 2013 14:57:01 +0800 Subject: [PATCH] Reworked security issue list to be per-issue, not per-release. --- docs/releases/security.txt | 529 ++++++++++++++++--------------------- 1 file changed, 226 insertions(+), 303 deletions(-) diff --git a/docs/releases/security.txt b/docs/releases/security.txt index 635e51efe8..474eeee26d 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -41,46 +41,29 @@ security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned. -August 16, 2006 ---------------- +August 16, 2006 - CVE-2007-0404 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2007-0404 `_: Filename validation issue in translation framework. `Full description `__ - * Filename validation issue in translation framework: `CVE-2007-0404 `_ +Versions affected +----------------- -* **Versions affected:** +* Django 0.90 `(patch) `__ - * Django 0.90 +* Django 0.91 `(patch) `__ - * Django 0.91 +* Django 0.95 `(patch) `__ (released January 21 2007) -* `Full description `__ +January 21, 2007 - CVE-2007-0405 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* Patch: `unified 0.90/0.91 `__ - - -January 21, 2007 ----------------- - -* **Issues:** - - * Patch `CVE-2007-0404`_ for Django 0.95 - - * Apparent "caching" of authenticated user: `CVE-2007-0405 `_ - -* **Versions affected:** - - * Django 0.95 - -* `Full description `__ - -* **Patches:** - - * `2006-08-26 issue `__ - - * `User caching issue `__ +`CVE-2007-0405 `_: Apparent "caching" of authenticated user. `Full description `__ +Versions affected +----------------- +* Django 0.95 `(patch) `__ Issues under Django's security process ====================================== @@ -88,440 +71,380 @@ Issues under Django's security process All other security issues have been handled under versions of Django's security process. These are listed below. +October 26, 2007 - CVE-2007-5712 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -October 26, 2007 ----------------- +`CVE-2007-5712 `_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description `__ -* **Issues:** +Versions affected +----------------- - * Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 `_ +* Django 0.91 `(patch) `__ -* **Versions affected:** +* Django 0.95 `(patch) `__ - * Django 0.91 +* Django 0.96 `(patch) `__ - * Django 0.95 - * Django 0.96 +May 14, 2008 - CVE-2008-2302 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* `Full description `__ +`CVE-2008-2302 `_: XSS via admin login redirect. `Full description `__ -* **Patches:** +Versions affected +----------------- - * `0.91 `__ +* Django 0.91 `(patch) `__ - * `0.95 `__ +* Django 0.95 `(patch) `__ - * `0.96 `__ +* Django 0.96 `(patch) `__ -May 14, 2008 ------------- +September 2, 2008 - CVE-2008-3909 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2008-3909 `_: CSRF via preservation of POST data during admin login. `Full description `__ - * XSS via admin login redirect: `CVE-2008-2302 `_ +Versions affected +----------------- -* **Versions affected:** +* Django 0.91 `(patch) `__ - * Django 0.91 +* Django 0.95 `(patch) `__ - * Django 0.95 +* Django 0.96 `(patch) `__ - * Django 0.96 +July 28, 2009 - CVE-2009-2659 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* `Full description `__ +`CVE-2009-2659 `_: Directory-traversal in development server media handler. `Full description `__ -* **Patches:** +Versions affected +----------------- - * `0.91 `__ +* Django 0.96 `(patch) `__ - * `0.95 `__ +* Django 1.0 `(patch) `__ - * `0.96 `__ +October 9, 2009 - CVE-2009-3965 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2009-3965 `_: Denial-of-service via pathological regular expression performance. `Full description `__ -September 2, 2008 -================= +Versions affected +----------------- -* **Issues:** +* Django 1.0 `(patch) `__ - * CSRF via preservation of POST data during admin login: `CVE-2008-3909 `_ +* Django 1.1 `(patch) `__ -* Versions affected +September 8, 2010 - CVE-2010-3082 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 0.91 +`CVE-2010-3082 `_: XSS via trusting unsafe cookie value. `Full description `__ - * Django 0.95 +Versions affected +----------------- - * Django 0.96 +* Django 1.2 `(patch) `__ -* `Full description `__ -* **Patches:** +December 22, 2010 - CVE-2010-4534 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `0.91 `__ +`CVE-2010-4534 `_: Information leakage in administrative interface. `Full description `__ - * `0.95 `__ +Versions affected +----------------- - * `0.96 `__ +* Django 1.1 `(patch) `__ +* Django 1.2 `(patch) `__ -July 28, 2009 -============= +December 22, 2010 - CVE-2010-4535 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2010-4535 `_: Denial-of-service in password-reset mechanism. `Full description `__ - * Directory-traversal in development server media handler: `CVE-2009-2659 `_ +Versions affected +----------------- -* **Versions affected:** +* Django 1.1 `(patch) `__ - * Django 0.96 +* Django 1.2 `(patch) `__ - * Django 1.0 -* `Full description `__ +February 8, 2011 - CVE-2011-0696 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Patches:** +`CVE-2011-0696 `_: CSRF via forged HTTP headers. `Full description `__ - * `0.96 `__ +Versions affected +----------------- - * `1.0 `__ +* Django 1.1 `(patch) `__ +* Django 1.2 `(patch) `__ -October 9, 2009 -=============== -* **Issues:** +February 8, 2011 - CVE-2011-0697 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Denial-of-service via pathological regular expression performance: `CVE-2009-3965 `_ +`CVE-2011-0697 `_: XSS via unsanitized names of uploaded files. `Full description `__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.0 +* Django 1.1 `(patch) `__ - * Django 1.1 +* Django 1.2 `(patch) `__ -* `Full description `__ +February 8, 2011 - CVE-2011-0698 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Patches:** +`CVE-2011-0698 `_: Directory-traversal on Windows via incorrect path-separator handling. `Full description `__ - * `1.0 `__ +Versions affected +----------------- - * `1.1 `__ +* Django 1.1 `(patch) `__ +* Django 1.2 `(patch) `__ -September 8, 2010 -================= -* **Issues:** +September 9, 2011 - CVE-2011-4136 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * XSS via trusting unsafe cookie value: `CVE-2010-3082 `_ +`CVE-2011-4136 `_: Session manipulation when using memory-cache-backed session. `Full description `__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.2 +* Django 1.2 `(patch) `__ -* `Full description `__ +* Django 1.3 `(patch) `__ -* **Patches:** +September 9, 2011 - CVE-2011-4137 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.2 `__ +`CVE-2011-4137 `_: Denial-of-service via via ``URLField.verify_exists``. `Full description `__ +Versions affected +----------------- -December 22, 2010 -================= +* Django 1.2 `(patch) `__ -* **Issues:** +* Django 1.3 `(patch) `__ - * Information leakage in administrative interface: `CVE-2010-4534 `_ +September 9, 2011 - CVE-2011-4138 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Denial-of-service in password-reset mechanism: `CVE-2010-4535 `_ +`CVE-2011-4138 `_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description `__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.1 +* Django 1.2: `(patch) `__ - * Django 1.2 +* Django 1.3: `(patch) `__ -* `Full description `__ +September 9, 2011 - CVE-2011-4139 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Patches:** +`CVE-2011-4139 `_: ``Host`` header cache poisoning. `Full description `__ - * `1.1 CVE-2010-4534 `__ +Versions affected +----------------- - * `1.1 CVE-2010-4535 `__ +* Django 1.2 `(patch) `__ - * `1.2 CVE-2010-4534 `__ +* Django 1.3 `(patch) `__ - * `1.2 CVE-2010-4535 `__ +September 9, 2011 - CVE-2011-4140 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +`CVE-2011-4140 `_: Potential CSRF via ``Host`` header. `Full description `__ -February 8, 2011 -================ +Versions affected +----------------- -* **Issues:** +This notification was an advisory only, so no patches were issued. - * CSRF via forged HTTP headers: `CVE-2011-0696 `_ +* Django 1.2 - * XSS via unsanitized names of uploaded files: `CVE-2011-0697 `_ +* Django 1.3 - * Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 `_ -* **Versions affected:** +July 30, 2012 - CVE-2012-3442 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.1 +`CVE-2012-3442 `_: XSS via failure to validate redirect scheme. `Full description `__ - * Django 1.2 +Versions affected +----------------- -* `Full description `__ +* Django 1.3: `(patch) `__ -* **Patches:** +* Django 1.4: `(patch) `__ - * `1.1 CVE-2010-0696 `__ - * `1.1 CVE-2010-0697 `__ +July 30, 2012 - CVE-2012-3443 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.1 CVE-2010-0698 `__ +`CVE-2012-3443 `_: Denial-of-service via compressed image files. `Full description `__ - * `1.2 CVE-2010-0696 `__ +Versions affected +----------------- - * `1.2 CVE-2010-0697 `__ +* Django 1.3: `(patch) `__ - * `1.2 CVE-2010-0698 `__ +* Django 1.4: `(patch) `__ -September 9, 2011 -================= +July 30, 2012 - CVE-2012-3444 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +`CVE-2012-3444 `_: Denial-of-service via large image files. `Full description `__ - * Session manipulation when using memory-cache-backed session: `CVE-2011-4136 `_ +Versions affected +----------------- - * Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 `_ +* Django 1.3 `(patch) `__ - * Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 `_ +* Django 1.4 `(patch) `__ - * ``Host`` header cache poisoning: `CVE-2011-4139 `_ -* Advisories: +October 17, 2012 - CVE-2012-4520 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Potential CSRF via ``Host`` header: `CVE-2011-4140 `_ +`CVE-2012-4520 `_: ``Host`` header poisoning. `Full description `__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.2 +* Django 1.3 `(patch) `__ - * Django 1.3 +* Django 1.4 `(patch) `__ -* `Full description `__ -* **Patches:** +December 10, 2012 - No CVE 1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.2 CVE-2011-4136 `__ +Additional hardening of ``Host`` header handling. `Full description `__ - * `1.2 CVE-2011-4137 and CVE-2011-4138 `__ +Versions affected +----------------- - * `1.2 CVE-2011-4139 `__ +* Django 1.3 `(patch) `__ - * `1.3 CVE-2011-4136 `__ +* Django 1.4 `(patch) `__ - * `1.3 CVE-2011-4137 and CVE-2011-4138 `__ - * `1.3 CVE-2011-4139 `__ +December 10, 2012 - No CVE 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Additional hardening of redirect validation. `Full description `__ -July 30, 2012 -============= +Versions affected +----------------- -* **Issues:** + * Django 1.3: `(patch) `__ - * XSS via failure to validate redirect scheme: `CVE-2012-3442 `_ + * Django 1.4: `(patch) `__ - * Denial-of-service via compressed image files: `CVE-2012-3443 `_ +February 19, 2013 - No CVE +~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Denial-of-service via large image viles: `CVE-2012-3444 `_ +Additional hardening of ``Host`` header handling. `Full description `__ -* **Versions affected:** +Versions affected +----------------- - * Django 1.3 +* Django 1.3 `(patch) `__ - * Django 1.4 +* Django 1.4 `(patch) `__ -* `Full description `__ +February 19, 2013 - CVE-2013-1664/1665 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Patches:** +`CVE-2013-1664 `_ and `CVE-2013-1665 `_: Entity-based attacks against Python XML libraries. `Full description `__ - * `1.3 CVE-2012-3442 `__ +Versions affected +----------------- - * `1.3 CVE-2012-3443 `__ +* Django 1.3 `(patch) `__ - * `1.3 CVE-2012-3444 `__ +* Django 1.4 `(patch) `__ - * `1.4 CVE-2012-3442 `__ +February 19, 2013 - CVE-2013-0305 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.4 CVE-2012-3443 `__ +`CVE-2013-0305 `_: Information leakage via admin history log. `Full description `__ - * `1.4 CVE-2012-3444 `__ +Versions affected +----------------- +* Django 1.3 `(patch) `__ -October 17, 2012 -================ +* Django 1.4 `(patch) `__ -* **Issues:** - * ``Host`` header poisoning: `CVE-2012-4520 `_ +February 19, 2013 - CVE-2013-0306 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Versions affected:** +`CVE-2013-0306 `_: Denial-of-service via formset ``max_num`` bypass. `Full description `__ - * Django 1.3 +Versions affected +----------------- - * Django 1.4 +* Django 1.3 `(patch) `__ -* `Full description `__ +* Django 1.4 `(patch) `__ -* **Patches:** +August 13, 2013 - Awaiting CVE 1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.3 `__ +(CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description `__ - * `1.4 `__ +Versions affected +----------------- +* Django 1.5 `(patch) `__ -December 10, 2012 -================= +August 13, 2013 - Awaiting CVE 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -* **Issues:** +(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description `__ - * Additional hardening of ``Host`` header handling (no CVE issued) +Versions affected +----------------- - * Additional hardening of redirect validation (no CVE issued) +* Django 1.4 `(patch) `__ -* **Versions affected:** +* Django 1.5 `(patch) `__ - * Django 1.3 +September 10, 2013 - CVE-2013-4315 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * Django 1.4 +`CVE-2013-4315 `_ Directory-traversal via ``ssi`` template tag. `Full description `__ -* `Full description `__ +Versions affected +----------------- -* **Patches:** +* Django 1.4 `(patch) `__ - * `1.3 Host hardening `__ +* Django 1.5 `(patch) `__ - * `1.3 redirect hardening `__ - * `1.4 Host hardening `__ +September 14, 2013 - CVE-2013-1443 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - * `1.4 redirect hardning `__ +CVE-2013-1443: Denial-of-service via large passwords. `Full description `__ +Versions affected +----------------- -February 19, 2013 -================= - -* **Issues:** - - * Additional hardening of ``Host`` header handling (no CVE issued) - - * Entity-based attacks against Python XML libraries: `CVE-2013-1664 `_ and `CVE-2013-1665 `_ - - * Information leakage via admin history log: `CVE-2013-0305 `_ - - * Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 `_ - -* **Versions affected:** - - * Django 1.3 - - * Django 1.4 - -* `Full description `__ - -* **Patches:** - - * `1.3 Host hardening `__ - - * `1.3 XML attacks `__ - - * `1.3 CVE-2013-0305 `__ - - * `1.3 CVE-2013-0306 `__ - - * `1.4 Host hardening `__ - - * `1.4 XML attacks `__ - - * `1.4 CVE-2013-0305 `__ - - * `1.4 CVE-2013-0306 `__ - - -August 13, 2013 -=============== - -* **Issues:** - - * XSS via admin trusting ``URLField`` values (CVE not yet issued) - - * Possible XSS via unvalidated URL redirect schemes (CVE not yet issued) - -* **Versions affected:** - - * Django 1.4 (redirect scheme issue only) - - * Django 1.5 - -* `Full description `__ - -* **Patches:** - - * `1.4 redirect validation `__ - - * `1.5 URLField trusting `__ - - * `1.5 redirect validation `__ - - -September 10, 2013 -================== - -* **Issues:** - - * Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 `_ - -* **Versions affected:** - - * Django 1.4 - - * Django 1.5 - -* `Full description `__ - -* **Patches:** - - * `1.4 CVE-2013-4315 `__ - - * `1.5 CVE-2013-4315 `__ - - -September 14, 2013 -================== - -* **Issues:** - - * Denial-of-service via large passwords: CVE-2013-1443 - -* **Versions affected:** - - * Django 1.4 - - * Django 1.5 - -* `Full description `__ - -* **Patches:** - - * `1.4 CVE-2013-1443 `__ and `Python compatibility fix `__ - - * `1.5 CVE-2013-1443 `__ - +* Django 1.4 `(patch `__ and `Python compatibility fix) `__ +* Django 1.5 `(patch) `__