CVE-2012-4520

Publication date 30 October 2012

Last updated 24 July 2024

Ubuntu priority

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	12.10 quantal	Fixed 1.4.1-2ubuntu0.1
	12.04 LTS precise	Fixed 1.3.1-4ubuntu1.3
	11.10 oneiric	Fixed 1.3-2ubuntu1.4
	10.04 LTS lucid	Fixed 1.1.1-2ubuntu1.6
	8.04 LTS hardy	Ignored

Notes

jdstrand

fix introduced LP: #1080204

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-django	Upstream: 92d3430 Upstream: b45c377 Debdiff: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1068486

References

Related Ubuntu Security Notices (USN)

USN-1757-1
Django vulnerabilities
7 March 2013