Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Donโt Repeat Yourself) principle.
It was discovered that the django.utils.http.is_safe_url() function
considered any URL that used a scheme other than HTTP or HTTPS (for
example, โjavascript:โ) as safe. An attacker could potentially use this
flaw to perform cross-site scripting (XSS) attacks. (CVE-2013-6044)
A directory traversal flaw was found in Djangoโs โssiโ template tag, which
takes a file path as input and outputs that fileโs contents. An attacker
able to alter templates that made use of the โssiโ tag on a site could use
this flaw to access any local files accessible to Django. (CVE-2013-4315)
Red Hat would like to thank James Bennett of Django for reporting
CVE-2013-4315.
All python-django users are advised to upgrade to these updated packages,
which contain a backported patch to correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | src | django14 | <ย 1.4.8-1.el6ost | Django14-1.4.8-1.el6ost.src.rpm |
RedHat | 6 | noarch | django14-doc | <ย 1.4.8-1.el6ost | Django14-doc-1.4.8-1.el6ost.noarch.rpm |
RedHat | 6 | noarch | django14 | <ย 1.4.8-1.el6ost | Django14-1.4.8-1.el6ost.noarch.rpm |