Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed querystrings, worked as intended for HTTP and HTTPS URLs, but permitted redirects to other schemes, such as javascript:. The is_safe_url function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes.

For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u2. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 1.5.2-1. We recommend that you upgrade your python-django packages.

Django is a high-level web application framework that loosely follows the model-view-controller design pattern.

python-django on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2740.html

---

Updated on 2015-03-25