{"id":"USN-2212-1","summary":"python-django vulnerabilities","details":"Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby\ndiscovered that Django improperly removed Vary and Cache-Control headers\nfrom HTTP responses when replying to a request from an Internet Explorer\nor Chrome Frame client. An attacker may use this to retrieve private data\nor poison caches. This update removes workarounds for bugs in Internet\nExplorer 6 and 7. (CVE-2014-1418)\n\nPeter Kuma and Gavin Wahl discovered that Django did not correctly\nvalidate some malformed URLs, which are accepted by some browsers. An\nattacker may use this to cause unexpected redirects. An update has been\nprovided for 12.04 LTS, 12.10, 13.10, and 14.04 LTS; this issue remains\nunfixed for 10.04 LTS as no \"is_safe_url()\" functionality existed in\nthis version.\n","modified":"2026-02-10T04:40:48Z","published":"2014-05-15T01:26:18Z","related":["UBUNTU-CVE-2014-1418","UBUNTU-CVE-2014-3730"],"upstream":["CVE-2014-1418","UBUNTU-CVE-2014-1418"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2212-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1418"}],"affected":[{"package":{"name":"python-django","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/python-django@1.6.1-2ubuntu0.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.1-2ubuntu0.3"}]}],"versions":["1.5.4-1ubuntu1","1.6-1","1.6.1-1","1.6.1-2","1.6.1-2ubuntu0.1","1.6.1-2ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.1-2ubuntu0.3","binary_name":"python-django"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2014-1418","severity":[{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2212-1.json"}}],"schema_version":"1.7.3"}