CVE-2010-4535

Publication date 22 December 2010

Last updated 24 July 2024

Ubuntu priority

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	11.10 oneiric	Fixed 1.2.3-1ubuntu0.2.11.04.1
	11.04 natty	Fixed 1.2.3-1ubuntu0.2.11.04.1
	10.10 maverick	Fixed 1.2.3-1ubuntu0.2.10.10.1
	10.04 LTS lucid	Fixed 1.1.1-2ubuntu1.2
	9.10 karmic	Fixed 1.1.1-1ubuntu1.1
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-django	Upstream: http://code.djangoproject.com/changeset/15034 Upstream: http://code.djangoproject.com/changeset/15036

CVE-2010-4535

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references