James Bennett of the Django Project reports: Security releases issued Today the Django team is issuing multiple releases -- Django 1.3.2 and Django 1.4.1 -- to remedy security issues reported to us. All users are encouraged to upgrade Django immediately. Denial-of-service via get_image_dimensions() Django's image-handling facilities also include helper methods to determine the dimensions of an image. Currently, the process for this involves reading a 1024-byte chunk from the start of the file, and passing to PIL to determine the dimensions; if insufficient data is provided, further 1024-byte chunks are read until PIL is able to return a definite answer. While this works well for image formats which store enough information in their headers to determine dimensions, it can result in large quantities of read/process cycles for formats which do not. In particular, larger TIFF images can require tens of thousands of such cycles, tying up or timing out worker processes/threads and consuming enough server resources to result in an effective denial-of-service. To mitigate this, the algorithm for determining image dimensions is being changed; the initial attempt will still use a 1024-byte chunk, but the chunk size will be doubled on each successive read. Testing has demonstrated that this reduces time to process TIFF files by multiple orders of magnitude. References: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Created Django tracking bugs for this issue Affects: fedora-all [bug 844528]
Created Django tracking bugs for this issue Affects: epel-all [bug 844529]
Django-1.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.3.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Django-1.3.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.