Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=357051
Summary: Django 0.96 i18n DoS Product: Fedora Version: f7 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: low Component: Django AssignedTo: michel.sylvan@gmail.com ReportedBy: ville.skytta@iki.fi QAContact: extras-qa@fedoraproject.org CC: fedora-security-list@redhat.com
http://www.djangoproject.com/weblog/2007/oct/26/security-fix/
"A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.
Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update."
All Fedora and EPEL branches are at 0.96 (which is vulnerable) at the moment.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: Django 0.96 i18n DoS
https://bugzilla.redhat.com/show_bug.cgi?id=357051
------- Additional Comments From ville.skytta@iki.fi 2007-10-29 14:15 EST ------- Credit where it's due: found at http://www.vuxml.org/freebsd/d2c2952d-85a1-11dc-bfff-003048705d5a.html
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2007-5712 Summary|Django 0.96 i18n DoS |CVE-2007-5712 Django 0.96 | |i18n DoS
------- Additional Comments From thoger@redhat.com 2007-10-31 08:59 EST ------- CVE id CVE-2007-5712 was assigned to this issue.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|Django |vulnerability Product|Fedora |Security Response Version|f7 |unspecified
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |michel.sylvan@gmail.com AssignedTo|michel.sylvan@gmail.com |security-response- | |team@redhat.com
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
Bug 357051 depends on bug 362781, which changed state.
Bug 362781 Summary: CVE-2007-5712 Django 0.96 i18n DoS [Fdevel] https://bugzilla.redhat.com/show_bug.cgi?id=362781
What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
------- Additional Comments From updates@fedoraproject.org 2007-11-06 11:04 EST ------- Django-0.96.1-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update Django'
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
------- Additional Comments From updates@fedoraproject.org 2007-11-09 18:53 EST ------- Django-0.96.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |ERRATA Fixed In Version| |0.96.1-1.fc8
Bug 357051 depends on bug 362771, which changed state.
Bug 362771 Summary: CVE-2007-5712 Django 0.96 i18n DoS [F8] https://bugzilla.redhat.com/show_bug.cgi?id=362771
What |Old Value |New Value ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |ERRATA
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
------- Additional Comments From updates@fedoraproject.org 2007-11-09 18:58 EST ------- Django-0.96.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712
https://bugzilla.redhat.com/show_bug.cgi?id=357051
Bug 357051 depends on bug 362761, which changed state.
Bug 362761 Summary: CVE-2007-5712 Django 0.96 i18n DoS [F7] https://bugzilla.redhat.com/show_bug.cgi?id=362761
What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE
security@lists.fedoraproject.org