Summary
The remote host is missing an update to python-django announced via advisory DSA 1640-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201640-1
Insight
Simon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorized modification of data through cross site request forgery. The is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909.
In this update the affected feature is disabled
this is in accordance
with upstream's preferred solution for this situation.
This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisaton framework, known as CVE-2007-5712.
For the stable distribution (etch), these problems have been fixed in version 0.95.1-1etch2.
For the unstable distribution (sid), these problems have been fixed in version 1.0-1.
We recommend that you upgrade your python-django package.
Severity
Classification
-
CVE CVE-2007-5712, CVE-2008-3909 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P
Related Vulnerabilities