In accordance with our security policy[1], a set of releases is being issued tonight to fix a security vulnerability reported to the Django project. This message contains a description of the vulnerability, a description of the changes made to fix it, pointers to the the relevant patches for each supported version of Django and pointers to the resulting releases. A copy of this information will also be posted on the official Django weblog, and the relevant areas of the Django website are being updated to reflect the new releases.
Description of vulnerability: The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute. The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path. Affected versions: * Django development trunk * Django 0.96 * Django 0.95 * Django 0.91 Resolution: The login form has been changed to escape the request path before use as the form's submission action. The relevant changesets for affected versions of Django are: * Django development trunk: Changeset 7521 (http://code.djangoproject.com/changeset/7521) * Django 0.96: Changeset 7527 (http://code.djangoproject.com/changeset/7527) * Django 0.95: Changeset 7528 (http://code.djangoproject.com/changeset/7528) * Django 0.91: Changeset 7529 (http://code.djangoproject.com/changeset/7529) The following releases have been issued based on the above changesets: * Django 0.96.2: http://media.djangoproject.com/releases/0.96/Django-0.96.2.tar.gz * Django 0.95.3: http://media.djangoproject.com/releases/0.95/Django-0.95.3.tar.gz * Django 0.91.2: http://media.djangoproject.com/releases/0.91/Django-0.91.2.tar.gz All users of affected versions of Django are strongly encouraged to apply the relevant patch or upgrade to the relevant patched release as soon as possible. Release manager's note: If you maintain a third-party Django package and you did *not* receive the announcement of these release from me earlier tonight, please email me directly as soon as possible. Also, please note that potential security vulnerabilities should be reported directly to the Django project, at [EMAIL PROTECTED], as outlined in our security policy[1]. Following this procedure helps us to maintain high standards of response and disclosure, and makes the process of investigating and resolving security issues much easier for everyone involved. [1] http://www.djangoproject.com/documentation/contributing/#reporting-security-issues -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---