CVE-2015-5144

NameCVE-2015-5144
DescriptionDjango before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-272-1, DSA-3305-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)wheezy1.4.5-1+deb7u16fixed
wheezy (security)1.4.22-1+deb7u3fixed
jessie (security), jessie1.7.11-1+deb8u2fixed
stretch1:1.10.7-2fixed
buster, sid1:1.11.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1.7.9-1medium
python-djangosourcejessie1.7.7-1+deb8u1mediumDSA-3305-1
python-djangosourcesqueeze1.2.3-3+squeeze13mediumDLA-272-1
python-djangosourcewheezy1.4.5-1+deb7u12mediumDSA-3305-1

Notes

https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5144 has split out patches

Search for package or bug name: Reporting problems