- Document Django 2013-02-21 vulnerabilty

Approved by:	araujo (mentor)

1 files changed, 70 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 9056a53eb35b..03a33d0089e9 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,76 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="21c59f5e-7cc5-11e2-9c11-080027a5ec9a">
+    <topic>django -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>py26-django</name>
+	<name>py27-django</name>
+	<range><ge>1.3</ge><lt>1.3.6</lt></range>
+	<range><ge>1.4</ge><lt>1.4.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>The Django Project reports:</p>
+	<blockquote cite="https://www.djangoproject.com/weblog/2013/feb/19/security/">
+	  <p>These security releases fix four issues: one potential phishing
+	    vector, one denial-of-service vector, an information leakage issue,
+	    and a range of XML vulnerabilities.</p>
+          <ol>
+	  <li>
+            <p>Host header poisoning</p>
+	    <p>an attacker could cause Django to generate and display URLs that
+	      link to arbitrary domains. This could be used as part of a phishing
+	      attack. These releases fix this problem by introducing a new
+	      setting, ALLOWED_HOSTS, which specifies a whitelist of domains your
+	      site is known to respond to.</p>
+	    <p>Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
+	      allow all hosts. This means that to actually fix the security
+	      vulnerability you should define this setting yourself immediately
+	      after upgrading.</p>
+	  </li>
+	  <li>
+	    <p>Formset denial-of-service</p>
+	    <p>an attacker can abuse Django's tracking of the number of forms in
+	      a formset to cause a denial-of-service attack. This has been fixed
+	      by adding a default maximum number of forms of 1,000. You can still
+	      manually specify a bigger max_num, if you wish, but 1,000 should be
+	      enough for anyone.</p>
+	  </li>
+	  <li>
+	    <p>XML attacks</p>
+	    <p>Django's serialization framework was vulnerable to attacks via XML
+	      entity expansion and external references; this is now fixed.
+	      However, if you're parsing arbitrary XML in other parts of your
+	      application, we recommend you look into the defusedxml Python
+	      packages which remedy this anywhere you parse XML, not just via
+	      Django's serialization framework.</p>
+	  </li>
+	  <li>
+	    <p>Data leakage via admin history log</p>
+	    <p>Django's admin interface could expose supposedly-hidden
+	      information via its history log. This has been fixed.</p>
+	  </li>
+	  </ol>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1664</cvename>
+      <cvename>CVE-2013-1665</cvename>
+      <cvename>CVE-2013-0305</cvename>
+      <cvename>CVE-2013-0306</cvename>
+      <bid>58022</bid>
+      <bid>58061</bid>
+    </references>
+    <dates>
+      <discovery>2013-02-21</discovery>
+      <entry>2013-02-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="dfd92cb2-7d48-11e2-ad48-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>