PublicDateAtUSN: 2011-10-19
Candidate: CVE-2011-4138
PublicDate: 2011-10-19 10:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4138
 https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
 https://ubuntu.com/security/notices/USN-1297-1
Description:
 The verify_exists functionality in the URLField implementation in Django
 before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity
 through a HEAD request, but then uses a GET request for the new target URL
 in the case of a redirect, which might allow remote attackers to trigger
 arbitrary GET requests with an unintended source IP address via a crafted
 Location header.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Paul McMillan
Assigned-to: jdstrand
CVSS: 

Patches_python-django:
 upstream: https://code.djangoproject.com/changeset/16766 (1.2)
 upstream: https://code.djangoproject.com/changeset/16763 (1.3)
upstream_python-django: released (1.3.1-1)
hardy_python-django: ignored (reached end-of-life)
lucid_python-django: released (1.1.1-2ubuntu1.4)
maverick_python-django: released (1.2.3-1ubuntu0.2.10.10.3)
natty_python-django: released (1.2.5-1ubuntu1.1)
oneiric_python-django: released (1.3-2ubuntu1.1)
devel_python-django: not-affected (1.3.1-1ubuntu1)