Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2012-3442

Published: 31 July 2012

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.

Notes

AuthorNote
mdeslaur
possible regression, see LP: #1031733

Priority

Medium

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (1.1.1-2ubuntu1.5)
natty
Released (1.2.5-1ubuntu1.2)
oneiric
Released (1.3-2ubuntu1.3)
precise
Released (1.3.1-4ubuntu1.2)
upstream
Released (1.3.2,1.4.1)
Patches:
vendor: http://www.debian.org/security/2012/dsa-2529
upstream: https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d
upstream: https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416 (python 2.4 compat)