Description
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments.
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack.
Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service.
Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this issue
to cause a large number of SQL queries, resulting in a database denial of
service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.