PublicDateAtUSN: 2013-09-16
Candidate: CVE-2013-4315
PublicDate: 2013-09-16 19:14:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4315
 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
 https://ubuntu.com/security/notices/USN-1967-1
Description:
 Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x
 before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read
 arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting
 followed by a .. (dot dot) in a ssi template tag.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722605
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_python-django:
 upstream: https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896 (1.4)
 upstream: https://github.com/django/django/commit/3203f684e8e51cbfa1b39d7b6a56e340981ad4d5 (1.4)
 upstream: https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca (1.5)
upstream_python-django: released (1.5.3-1)
lucid_python-django: released (1.1.1-2ubuntu1.9)
precise_python-django: released (1.3.1-4ubuntu1.8)
quantal_python-django: released (1.4.1-2ubuntu0.4)
raring_python-django: released (1.4.5-1ubuntu0.1)
devel_python-django: not-affected (1.5.4-1)