Bug 460966 (CVE-2008-3909)
Summary: | CVE-2008-3909 Django: CSRF issue fixed in 0.96.3 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Milner <smilner> |
Component: | Django | Assignee: | Michel Lind <michel> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 9 | CC: | james |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.djangoproject.com/weblog/2008/sep/02/security/ | ||
Whiteboard: | |||
Fixed In Version: | 0.96.3-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-09-06 14:38:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steve Milner
2008-09-03 00:57:03 UTC
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list. What e-mail address was used for the advance notification? I just checked and could not find the e-mail. Please use salimma or michel.sylvan -- preferably the former. Thanks. Working on the new release now. I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future. Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9 Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9 Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8 CVE id CVE-2008-3909 was assigned to this issue: The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests. Update has been marked stable, but for some reason the bug is not automatically closed; closing now. Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |