In association with heise online

12 September 2011, 12:15

Django updates address security bugs

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Django Logo The Django Project has released updates to the 1.2.x and 1.3.x branches of the Python-based web framework. According to the developers, versions 1.2.6 and 1.3.1 contain patches for a number of security problems found in previous versions; however, due to a problem with the 1.2.6 release tarball, the developers have issued Django 1.2.7.

The problems fixed include a session manipulation bug, a denial-of-service (DoS) vulnerability in Django's URLField, redirection issues with the URLField and a potential route to cache poisoning. All users are advised to upgrade to the latest versions as soon as possible.

There are though, a number of potential problems which are not fixed. For these, the developers are offering advice on how to mitigate a Django installation's exposure to them. For example, it is possible to by-pass Django's CSRF-protection mechanism with certain server configurations; the developers recommend thorough validation of headers to mitigate against this. Other problems addressed relate to how to obscure sensitive POST data in DEBUG pages and cookie-related CSRF mitigations.

The details of the updates and advice on mitigating other issues is available in a post on the Django weblog. Versions 1.2.7 and 1.3.1 of Django are available to download from the project's site. Django is released under the BSD licence.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit