Django的開(kāi)發(fā)小組堅(jiān)定地承諾���,為報(bào)告和公開(kāi)安全相關(guān)問(wèn)題負(fù)責(zé)���,這在Django的安全問(wèn)題中列出。
作為承諾的一部分�����,我們保留了下面的問(wèn)題的歷史列表��,這些問(wèn)題已經(jīng)被解決和公開(kāi)�。對(duì)于每個(gè)問(wèn)題,下面的列表包含日期�����、簡(jiǎn)短的描述��、CVE 標(biāo)識(shí)符�����、受影響的版本列表��、完整的頁(yè)面鏈接以及相應(yīng)補(bǔ)丁的連接。
有一些重要的附加說(shuō)明:
- 列出的受影響版本只包含了在漏洞公開(kāi)時(shí)期的Django穩(wěn)定的安全支持發(fā)行版�����。這意味著��,老的版本(安全支持已經(jīng)過(guò)期)��,以及預(yù)發(fā)行版本(alpha/beta/RC)在漏洞公開(kāi)的時(shí)期也可能會(huì)受影響��,但是沒(méi)有列出�����。
- Django項(xiàng)目偶爾會(huì)發(fā)布安全公告�,指出潛在的安全問(wèn)題,可能會(huì)由不合理的配置或其他Django本身以外的問(wèn)題產(chǎn)生�����。這些公告中有一些收到了CVE�����;這種情況下�,它們會(huì)在這里列出來(lái),但是沒(méi)有任何附加的補(bǔ)丁或者發(fā)行版�,只有描述、公開(kāi)信息和CVE��。
Issues prior to Django’s security process
一些安全問(wèn)題在Django具有規(guī)范化的安全處理流程之前被修復(fù)���。對(duì)于這些問(wèn)題����,可能不會(huì)發(fā)布新的發(fā)行版�����,也不會(huì)分配CVE���。
August 16, 2006 - CVE-2007-0404
CVE-2007-0404: 翻譯框架中的文件名驗(yàn)證問(wèn)題�����。Full description
Versions affected
January 21, 2007 - CVE-2007-0405
CVE-2007-0405: 已認(rèn)證用戶(hù)的可見(jiàn)“緩存”����。Full description
Versions affected
Issues under Django’s security process
所有其它的安全問(wèn)題都已經(jīng)在Django安全處理流程下的版本中解決。下面會(huì)列出來(lái):
October 26, 2007 - CVE-2007-5712
CVE-2007-5712: 通過(guò)任意大尺寸Accept-Language協(xié)議頭的拒絕服務(wù)攻擊�����。Full description
Versions affected
May 14, 2008 - CVE-2008-2302
CVE-2008-2302: 通過(guò)admin登錄重定向的XSS�����。Full description
Versions affected
September 2, 2008 - CVE-2008-3909
CVE-2008-3909: 通過(guò)在admin登錄狀態(tài)下保存POST數(shù)據(jù)的CSRF���。Full description
Versions affected
July 28, 2009 - CVE-2009-2659
CVE-2009-2659: 開(kāi)發(fā)服務(wù)器的媒體處理器上的拒絕服務(wù)攻擊�。Full description
Versions affected
October 9, 2009 - CVE-2009-3965
CVE-2009-3965: 通過(guò)執(zhí)行異常正則表達(dá)式的拒絕服務(wù)攻擊���。Full description
Versions affected
September 8, 2010 - CVE-2010-3082
CVE-2010-3082: 通過(guò)不安全cookie值的XSS�。Full description
Versions affected
December 22, 2010 - CVE-2010-4534
CVE-2010-4534: 管理界面上的信息泄露�。Full description
Versions affected
December 22, 2010 - CVE-2010-4535
CVE-2010-4535: 密碼重置機(jī)制上的拒絕服務(wù)攻擊。Full description
Versions affected
February 8, 2011 - CVE-2011-0696
CVE-2011-0696: 通過(guò)偽造HTTP協(xié)議頭的XSS�。Full description
Versions affected
February 8, 2011 - CVE-2011-0697
CVE-2011-0697: 通過(guò)未檢查的名稱(chēng)或者上傳文件的XSS。Full description
Versions affected
February 8, 2011 - CVE-2011-0698
CVE-2011-0698: Windows上通過(guò)不正確的目錄分隔符處理的目錄遍歷�����。Full description
Versions affected
September 9, 2011 - CVE-2011-4136
CVE-2011-4136:使用memory-cache-backed會(huì)話時(shí)的會(huì)話操縱�。Full description
Versions affected
September 9, 2011 - CVE-2011-4137
CVE-2011-4137: 通過(guò)URLField.verify_exists的拒絕服務(wù)攻擊����。Full description
Versions affected
September 9, 2011 - CVE-2011-4138
CVE-2011-4138: 通過(guò)URLField.verify_exists的信息泄露/任何請(qǐng)求發(fā)布���。Full description
Versions affected
September 9, 2011 - CVE-2011-4139
CVE-2011-4139: Host協(xié)議頭緩存污染。 Full description
Versions affected
September 9, 2011 - CVE-2011-4140
CVE-2011-4140:通過(guò)Host協(xié)議頭的潛在CSRF威脅�。Full description
Versions affected
這個(gè)通知只是一個(gè)公告,沒(méi)有任何補(bǔ)丁發(fā)布�。
July 30, 2012 - CVE-2012-3442
CVE-2012-3442: 通過(guò)驗(yàn)證重定向模式失敗的XSS。Full description
Versions affected
July 30, 2012 - CVE-2012-3443
CVE-2012-3443: 通過(guò)壓縮的圖像文件的拒絕服務(wù)u攻擊�����。Full description
Versions affected
July 30, 2012 - CVE-2012-3444
CVE-2012-3444:通過(guò)大尺寸圖像文件的拒絕服務(wù)攻擊��。Full description
Versions affected
October 17, 2012 - CVE-2012-4520
CVE-2012-4520: Host協(xié)議頭污染����。Full description
Versions affected
December 10, 2012 - No CVE 1
對(duì)Host協(xié)議頭處理的額外加固。Full description
Versions affected
December 10, 2012 - No CVE 2
對(duì)重定向驗(yàn)證的額外加固�����。Full description
Versions affected
February 19, 2013 - No CVE
對(duì)Host協(xié)議頭處理的額外加固��。Full description
Versions affected
February 19, 2013 - CVE-2013-1664/1665
CVE-2013-1664 and CVE-2013-1665: 對(duì)Python XML庫(kù)的基于實(shí)體的攻擊。Full description
Versions affected
February 19, 2013 - CVE-2013-0305
CVE-2013-0305: 通過(guò)admin歷史記錄的信息泄露�。Full description
Versions affected
February 19, 2013 - CVE-2013-0306
CVE-2013-0306: 通過(guò)表單集max_num 的拒絕服務(wù)攻擊。Full description
Versions affected
August 13, 2013 - Awaiting CVE 1
(CVE not yet issued): 通過(guò)admin受信任的URLField值的XSS���。Full description
Versions affected
August 13, 2013 - Awaiting CVE 2
(CVE not yet issued):可能的XSS漏洞�,通過(guò)未驗(yàn)證的URL重定向模式��。Full description
Versions affected
September 10, 2013 - CVE-2013-4315
CVE-2013-4315 通過(guò)ssi模板標(biāo)簽的目錄遍歷�。Full description
Versions affected
September 14, 2013 - CVE-2013-1443
CVE-2013-1443: 通過(guò)長(zhǎng)密碼的拒絕服務(wù)攻擊。Full description
Versions affected
April 21, 2014 - CVE-2014-0472
CVE-2014-0472: 使用reverse()的非預(yù)期代碼執(zhí)行���。Full description
Versions affected
April 21, 2014 - CVE-2014-0473
CVE-2014-0473: 匿名頁(yè)面的緩存可能會(huì)泄露CSRF標(biāo)識(shí)�。Full description
Versions affected
April 21, 2014 - CVE-2014-0474
CVE-2014-0474: MySQL類(lèi)型轉(zhuǎn)換產(chǎn)生非預(yù)期的查詢(xún)結(jié)果�。Full description
Versions affected
May 18, 2014 - CVE-2014-1418
CVE-2014-1418: 緩存可能允許存儲(chǔ)和處理私人數(shù)據(jù)。Full description
Versions affected
May 18, 2014 - CVE-2014-3730
CVE-2014-3730: 來(lái)源于用戶(hù)輸入的錯(cuò)誤格式URL的不正確驗(yàn)證���。Full description
Versions affected
August 20, 2014 - CVE-2014-0480
CVE-2014-0480: reverse() 可能會(huì)生成指向其它域名的URL��。Full description
Versions affected
August 20, 2014 - CVE-2014-0481
CVE-2014-0481: 文件上傳的拒絕服務(wù)攻擊����。Full description
Versions affected
August 20, 2014 - CVE-2014-0482
CVE-2014-0482: RemoteUserMiddleware會(huì)話劫持����。Full description
Versions affected
August 20, 2014 - CVE-2014-0483
CVE-2014-0483: admin中查詢(xún)集操作產(chǎn)生的數(shù)據(jù)泄露����。Full description
Versions affected
January 13, 2015 - CVE-2015-0219
CVE-2015-0219: 通過(guò)下劃線或者破折號(hào)合并產(chǎn)生的WSGI協(xié)議頭欺騙�����。Full description
Versions affected
January 13, 2015 - CVE-2015-0220
CVE-2015-0220:
通過(guò)用戶(hù)提供的重定向URL的可能的XSS攻擊���。Full description
Versions affected
January 13, 2015 - CVE-2015-0221
CVE-2015-0221: django.views.static.serve()上的拒絕服務(wù)攻擊。Full description
Versions affected
January 13, 2015 - CVE-2015-0222
CVE-2015-0222: 使用ModelMultipleChoiceField的數(shù)據(jù)庫(kù)拒絕服務(wù)攻擊�。Full description
Versions affected
譯者:Django 文檔協(xié)作翻譯小組,原文:Disclosed security issues in Django����。
本文以 CC BY-NC-SA 3.0 協(xié)議發(fā)布,轉(zhuǎn)載請(qǐng)保留作者署名和文章出處�。
Django 文檔協(xié)作翻譯小組人手緊缺,有興趣的朋友可以加入我們���,完全公益性質(zhì)�����。交流群:467338606��。
