Advisories » MGASA-2016-0096

Updated python-django packages fix security vulnerability

Publication date: 07 Mar 2016
Modification date: 07 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2512 , CVE-2016-2513

Description

Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)

Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17860
• http://www.ubuntu.com/usn/usn-2915-1/
• https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2512
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2513

SRPMS

5/core

• python-django-1.8.10-1.mga5