PublicDateAtUSN: 2015-01-13
Candidate: CVE-2015-0220
PublicDate: 2015-01-16 16:59:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220
 https://www.djangoproject.com/weblog/2015/jan/13/security/
 https://ubuntu.com/security/notices/USN-2469-1
Description:
 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x
 before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading
 whitespaces, which allows remote attackers to conduct cross-site scripting
 (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated
 by a "\njavascript:" URL.
Ubuntu-Description: 
Notes: 
Bugs: 
Priority: medium
Discovered-by: Mikko Ohtamaa
Assigned-to: mdeslaur
CVSS: 

Patches_python-django:
upstream_python-django: released (1.6.10)
lucid_python-django: released (1.1.1-2ubuntu1.14)
precise_python-django: released (1.3.1-4ubuntu1.13)
trusty_python-django: released (1.6.1-2ubuntu0.6)
trusty/esm_python-django: released (1.6.1-2ubuntu0.6)
utopic_python-django: released (1.6.6-1ubuntu2.1)
devel_python-django: released (1.6.6-1ubuntu3)