It was reported that Django's built-in parsing of the Host header was incorrectly handling username/password information (in django.http.HttpRequest.get_host()). This could allow a remote attacker to cause parts of Django, in particular the password-reset mechanism, to generate and display arbitrary URLs to end-users. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this vulnerability.
Created attachment 625210 [details] Upstream patch to correct the flaw in Django 1.3.x.
Created attachment 625211 [details] Upstream patch to correct the flaw in Django 1.4.x.
This has been assigned the name CVE-2012-4520.
This is now public https://www.djangoproject.com/weblog/2012/oct/17/security/
Created Django tracking bugs for this issue Affects: fedora-all [bug 867732]
Created Django tracking bugs for this issue Affects: epel-6 [bug 867733]