Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2015-0219

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

Related bugs and status

CVE-2015-0219 (Candidate) is related to these bugs:

Bug #1644346: SRU update Trusty to Python Django 1.6.11

Summary				In	Importance	Status
	1644346	SRU update Trusty to Python Django 1.6.11		python-django (Ubuntu)	Medium	Invalid
	1644346	SRU update Trusty to Python Django 1.6.11		python-django (Ubuntu Trusty)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://www.djangoproj...
UBUNTU: USN-2469-1
SECUNIA: 62285
SECUNIA: 62309
SECUNIA: 62718
CONFIRM: http://advisories.mage...
MANDRIVA: MDVSA-2015:036
MANDRIVA: MDVSA-2015:109
SUSE: openSUSE-SU-2015:0643
FEDORA: FEDORA-2015-0714
FEDORA: FEDORA-2015-0790
FEDORA: FEDORA-2015-0804
SUSE: openSUSE-SU-2015:1598