From Mageia wiki
MGASA-2012-0315
| Date: | October 29th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated python-django packages fix security vulnerabilities:
The Host header parsing in Django 1.3 and Django 1.4 -- specifically,
django.http.HttpRequest.get_host() -- was incorrectly handling
username/password information in the header.
Using this, an attacker can cause parts of Django -- particularly the
password-reset mechanism -- to generate and display arbitrary URLs to
users.
Updated Packages:
Mageia 1:
python-django-1.3.4-1.mga1
Mageia 2:
python-django-1.3.4-1.mga2
References:
https://www.djangoproject.com/weblog/2012/oct/17/security/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520
https://bugs.mageia.org/show_bug.cgi?id=7835
