Executive Summary
| Summary | |
|---|---|
| Title | python-django security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-3305 | First vendor Publication | 2015-07-08 |
| Vendor | Debian | Last vendor Modification | 2015-07-08 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.8 | Attack Range | Network |
| Cvss Impact Score | 6.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities were discovered in Django, a high-level Python web development framework: CVE-2015-5143 Eric Peterson and Lin Hua Cheng discovered that a new empty record used to be created in the session storage every time a session was accessed and an unknown session key was provided in the request cookie. This could allow remote attackers to saturate the session store or cause other users' session records to be evicted. CVE-2015-5144 Sjoerd Job Postmus discovered that some built-in validators did not properly reject newlines in input values. This could allow remote attackers to inject headers in emails and HTTP responses. For the oldstable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u12. For the stable distribution (jessie), these problems have been fixed in version 1.7.7-1+deb8u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your python-django packages. |
Original Source
| Url : http://www.debian.org/security/2015/dsa-3305 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-399 | Resource Management Errors |
| 50 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2016-03-04 | Name : The remote Fedora host is missing a security update. File : fedora_2015-1dd5bc998f.nasl - Type : ACT_GATHER_INFO |
| 2015-11-02 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201510-06.nasl - Type : ACT_GATHER_INFO |
| 2015-10-26 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-677.nasl - Type : ACT_GATHER_INFO |
| 2015-10-23 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-674.nasl - Type : ACT_GATHER_INFO |
| 2015-07-24 | Name : The remote Fedora host is missing a security update. File : fedora_2015-11403.nasl - Type : ACT_GATHER_INFO |
| 2015-07-17 | Name : The remote Debian host is missing a security update. File : debian_DLA-272.nasl - Type : ACT_GATHER_INFO |
| 2015-07-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_37ed8e9c265111e586ff14dae9d210b8.nasl - Type : ACT_GATHER_INFO |
| 2015-07-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2671-1.nasl - Type : ACT_GATHER_INFO |
| 2015-07-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3305.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2015-07-18 13:29:43 |
|
| 2015-07-16 00:30:56 |
|
| 2015-07-14 21:30:37 |
|
| 2015-07-09 05:25:17 |
|
