1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
PublicDateAtUSN: 2014-08-26
Candidate: CVE-2014-0480
PublicDate: 2014-08-26
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0480
https://www.djangoproject.com/weblog/2014/aug/20/security/
http://www.ubuntu.com/usn/usn-2347-1
Description:
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x
before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does
not properly validate URLs, which allows remote attackers to conduct
phishing attacks via a // (slash slash) in a URL, which triggers a
scheme-relative URL to be generated.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by: Florian Apolloner
Assigned-to: mdeslaur
Patches_python-django:
vendor: https://www.debian.org/security/2014/dsa-3010
upstream: https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e (1.4)
upstream: https://github.com/django/django/commit/da051da8df5e69944745072611351d4cfc6435d5 (1.6)
upstream_python-django: released (1.6.6-1)
lucid_python-django: released (1.1.1-2ubuntu1.13)
precise_python-django: released (1.3.1-4ubuntu1.12)
trusty_python-django: released (1.6.1-2ubuntu0.4)
devel_python-django: not-affected (1.6.6-1)
|