PublicDateAtUSN: 2013-02-20
Candidate: CVE-2013-0306
PublicDate: 2013-05-02 14:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0306
 https://www.djangoproject.com/weblog/2013/feb/19/security/
 https://ubuntu.com/security/notices/USN-1757-1
Description:
 The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5
 before release candidate 2 allows remote attackers to bypass intended
 resource limits for formsets and cause a denial of service (memory
 consumption) or trigger server errors via a modified max_num parameter.
Ubuntu-Description: 
Notes: 
Bugs: 
 https://bugs.launchpad.net/bugs/1130445
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701186
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_python-django:
 upstream: https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0 (1.4)
 upstream: https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727 (1.3)
 vendor: http://www.debian.org/security/2013/dsa-2634
upstream_python-django: released (1.4.4-1)
hardy_python-django: ignored (reached end-of-life)
lucid_python-django: released (1.1.1-2ubuntu1.8)
oneiric_python-django: released (1.3-2ubuntu1.6)
precise_python-django: released (1.3.1-4ubuntu1.6)
quantal_python-django: released (1.4.1-2ubuntu0.3)
devel_python-django: not-affected (1.4.5-1)