diff options
| author | delphij <delphij@FreeBSD.org> | 2007-10-29 06:22:45 +0800 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2007-10-29 06:22:45 +0800 |
| commit | eb95c31f95d0f1cdf6bb4afaced81c35df825b9d (patch) | |
| tree | cde9f5a0346f375e9a6f6cd6b99f54bd10997395 | |
| parent | 4cac6f78bbac7f1454cb30fd47b6b1c988cb8920 (diff) | |
| download | freebsd-ports-gnome-eb95c31f95d0f1cdf6bb4afaced81c35df825b9d.tar.gz freebsd-ports-gnome-eb95c31f95d0f1cdf6bb4afaced81c35df825b9d.tar.zst freebsd-ports-gnome-eb95c31f95d0f1cdf6bb4afaced81c35df825b9d.zip | |
Document django DoS issue.
| -rw-r--r-- | security/vuxml/vuln.xml | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 6a18bae2b09b..61c31b75a551 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,54 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="d2c2952d-85a1-11dc-bfff-003048705d5a"> + <topic>py-django -- denial of service vulnerability</topic> + <affects> + <package> + <name>py23-django</name> + <name>py24-django</name> + <name>py25-django</name> + <range><lt>0.96.1</lt></range> + </package> + <package> + <name>py23-django-devel</name> + <name>py24-django-devel</name> + <name>py25-django-devel</name> + <range><lt>20071026</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Django project reports:</p> + <blockquote cite="http://www.djangoproject.com/weblog/2007/oct/26/security-fix/"> + <p>A per-process cache used by Django's internationalization + ("i18n") system to store the results of translation lookups + for particular values of the HTTP Accept-Language header + used the full value of that header as a key. An attacker + could take advantage of this by sending repeated requests + with extremely large strings in the Accept-Language header, + potentially causing a denial of service by filling available + memory.</p> + <p>Due to limitations imposed by Web server software on the + size of HTTP header fields, combined with reasonable limits + on the number of requests which may be handled by a single + server process over its lifetime, this vulnerability may be + difficult to exploit. Additionally, it is only present when + the "USE_I18N" setting in Django is "True" and the i18n + middleware component is enabled*. Nonetheless, all users of + affected versions of Django are encouraged to update.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.djangoproject.com/weblog/2007/oct/26/security-fix/</url> + </references> + <dates> + <discovery>2007-10-26</discovery> + <entry>2007-10-27</entry> + </dates> + </vuln> + <vuln vid="44224e08-8306-11dc-9283-0016179b2dd5"> <topic>opera -- multiple vulnerabilities</topic> <affects> |