Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-4140

Publication date 19 October 2011

Last updated 24 July 2024


Ubuntu priority

Negligible

Why this priority?

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-django 11.10 oneiric Ignored
11.04 natty Ignored
10.10 maverick Ignored
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored

Notes


jdstrand

Upstream does not consider this a bug in Django but instead advises that web servers be properly configured: "To avoid this potential attack, we recommend that users of Django ensure their web-server configuration always validates incoming HTTP Host headers against the expected host name, disallows requests with no Host header, and that the web server not be configured with a catch-all virtual host which forwards requests to a Django application. in addition to the vulnerabilities python-django disclosed, they also posted 3 advisories. 2 of them did not receive a CVE, but this one did. Upstream is not planning on fixing the issue as it is depenedent on an insecure server configuration, as such there is nothing to be done in Ubuntu.