Description of problem: http://www.djangoproject.com/weblog/2010/dec/22/security/
1), Information leakage in Django administrative interface CVSSv2 score = 3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N Upstream changeset (against Django v1.2 version, which is in Fedora); http://code.djangoproject.com/changeset/15033 2), Denial-of-service attack in password-reset mechanism CVSSv2 score = 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P Upstream changeset (against Django v1.2 version, which is in Fedora): http://code.djangoproject.com/changeset/15034
These issues affect the versions of the Django package, as shipped with Fedora release of 13 and 14. -- These issues affect the versions of the Django package, as present within EPEL-4 and EPEL-5 repositories. Please schedule an update / rebase.
Created Django tracking bugs for this issue Affects: fedora-all [bug 665410]
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/23/4
(In reply to comment #0) > Description of problem: > > http://www.djangoproject.com/weblog/2010/dec/22/security/ Thank you for the report, Luke.
I apologize for the late response (was on vacation). Updated packages are being worked on now.
The following CVE identifiers have been assigned: http://www.openwall.com/lists/oss-security/2011/01/03/5 1, CVE-2010-4534 -- for the "information leakage in Django administrative interface" issue and 2, CVE-2010-4535 for the "Denial-of-service attack in password-reset mechanism" issue.
This has been fixed in Fedora/EPEL: fedora:19/python-django14-1.4.13-1.fc19 fedora:19/python-django-1.5.8-1.fc19 fedora:20/python-django-1.6.5-1.fc20 fedora:20/python-django14-1.4.13-1.fc20 fedora:20/python-django15-1.5.8-4.fc20 fedora:epel:6/Django14-1.4.13-1.el6 fedora:epel:6/python-django15-1.5.6-1.el6 fedora:epel:7/python-django15-1.5.6-1.el7 fedora:epel:7/python-django-1.6.5-1.el7