Package: python-django Version: 1.0.2-1 Severity: serious Tags: security > Django includes a lightweight, WSGI-based web server for use in > learning Django and in testing new applications during early stages of > development. For sake of convenience, this web server automatically > maps certain URLs corresponding to the static media files used by the > Django administrative application. > > The handler which maps these URLs did not properly check the requested > URL to verify that it corresponds to a static media file used by > Django. As such, a carefully-crafted URL can cause the development > server to serve any file to which it has read access. > > By default, the development server does not listen on interfaces other > than the local IPv4 loopback, and Django's documentation has and will > continue to have stern warnings against the use of the development > server in other situations (e.g., listening on a publicy- or > network-accessible interface), and stating that the development server > is not considered secure or performant enough for such use.
<http://www.djangoproject.com/weblog/2009/jul/28/security/> Does not affect unstable (once 1.1-1 lands). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org `-
signature.asc
Description: PGP signature