[Python-modules-team] Bug#816434: CVE-2016-2512 and CVE-2016-2513
Luke Faraone
lfaraone at debian.org
Tue Mar 1 20:04:03 UTC 2016
Source: python-django
Version: 1.9.2-1
Severity: important
Tags: security
Today Django published an advisory for 1.9.3 and 1.8.10.
I am investigating whether stable is affected; it is likely.
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
CVE-2016-2512
> Malicious redirect and possible XSS attack via user-supplied redirect URLs
> containing basic auth
CVE-2016-2513
> User enumeration through timing difference on password hasher work factor
> upgrade
More information about the Python-modules-team
mailing list