CVE-2011-0696
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a “combination of browser plugins and redirects,” a related issue to CVE-2011-0447. (CVSS:6.8) (Last Update:2011-03-10)
CVE-2011-0697
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. (CVSS:4.3) (Last Update:2011-03-10)
CVE-2011-0698
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. (CVSS:7.5) (Last Update:2011-02-23)
Oracle Critical Patch Update (CPU) – January 2011
CVE-2010-4534
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. (CVSS:4.0) (Last Update:2011-01-20)
CVE-2010-4535
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer. (CVSS:5.0) (Last Update:2011-01-20)
[ANNOUNCEMENT] Apache httpd 2.3.10-alpha released
The expected-to-be-final alpha release of Apache HTTP Server (aka, Apache httpd) 2.3.10-alpha is now available for download, test and use. Based on user and developer feedback, the next release of the next-gen version of Apache httpd will likely be our first beta. The hope and expectation is to push for a quick beta cycle and a 2.4.0 GA release around the beginning of 2011. Apache httpd 2.3.10-alpha can be found at: http://httpd.apache.org/
[ANNOUNCE] libapreq2-2.13 Released
libapreq2-2.13 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.13 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.13 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz
size: 891320 bytes
md5: c11fb0861aa84dcc6cd0f0798b045eee
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.8.0 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
========================================================================
Changes with libapreq2-2.13 (released December 3, 2010)
- HTTP Only Cookie [Robert Stone & Adam Prime]
The C and Perl Cookie APIs now support an HttpOnly flag to tell
user agents to deny client-side script access to the cookie
[ANNOUNCE] mod_fcgid 2.3.6 is released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.6 of mod_fcgid, a
FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
future 2.4. This version of mod_fcgid is a bug fix release.
A fix is included for CVE-2010-3872, a potential vulnerability which
can affect sites with untrusted FastCGI applications.
Additionally, default configuration settings for request body handling
have been changed to prevent large system resource use. Administrators
of all versions of mod_fcgid are strongly cautioned to ensure that
FcgidMaxRequestLen is configured appropriately.
mod_fcgid is available for download from:
http://httpd.apache.org/download.cgi
A full list of changes in this release follows:
*) SECURITY: CVE-2010-3872 (cve.mitre.org)
Fix possible stack buffer overwrite. Diagnosed by the reporter.
PR 49406. [Edgar Frank <ef-lists email.de>]
*) Change the default for FcgidMaxRequestLen from 1GB to 128K.
Administrators should change this to an appropriate value based on
site requirements. [Jeff Trawick]
*) Allow FastCGI apps more time to exit at shutdown before being
forcefully killed. [Jeff Trawick]
*) Correct a problem that resulted in FcgidMaxProcesses being ignored
in some situations. PR 48981. [<rkosolapov gmail.com>]
*) Fix the search for processes with the proper vhost config when
ServerName isn't set in every vhost or a module updates
r->server->server_hostname dynamically (e.g., mod_vhost_cdb)
or a module updates r->server dynamically (e.g., mod_vhost_ldap).
[Jeff Trawick]
*) FcgidPassHeader now maps header names to environment variable names
in the usual manner: The header name is converted to upper case and
is prefixed with HTTP_. An additional environment variable is
created with the legacy name. PR 48964. [Jeff Trawick]
*) Allow processes to be reused within multiple phases of a request
by releasing them into the free list as soon as possible.
[Chris Darroch]
*) Fix lookup of process command lines when using FcgidWrapper or
access control directives, including within .htaccess files.
[Chris Darroch]
*) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms;
ownership of mutex files was incorrect, resulting in a startup failure.
PR 48651. [Jeff Trawick, <pservit gmail.com>]
*) Return 500 instead of segfaulting when the application returns no output.
[Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]
*) In FCGI_AUTHORIZER role, avoid spawning a new process for every
different HTTP request. [Chris Darroch]