[ubuntu-cloud-archive/cloud-tools-updates] python-django (Accepted)

Scott Moser smoser at ubuntu.com
Mon Sep 15 16:41:50 UTC 2014 

 python-django (1.6.1-2ubuntu0.3~ctools0) precise; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-django (1.6.1-2ubuntu0.3) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: cache coherency problems in old Internet Explorer
     compatibility functions lead to loss of privacy and cache poisoning
     attacks. (LP: #1317663)
     - debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
       and fix_IE_for_attach() functions so Cache-Control and Vary headers are
       no longer modified. This may introduce some regressions for IE 6 and IE 7
       users. Patch from upstream.
     - CVE-2014-1418
   * SECURITY UPDATE: The validation for redirects did not correctly validate
     some malformed URLs, which are accepted by some browsers. This allows a
     user to be redirected to an unsafe URL unexpectedly.
     - debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
       forbid URLs without a host but with a path. Patch from upstream.
 .
 python-django (1.6.1-2ubuntu0.2) trusty-security; urgency=medium
 .
   * SECURITY REGRESSION: security fix regression when a view is a partial
     (LP: #1311433)
     - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
       from the original function whenever a partial is provided as an
       argument to a url pattern in django/core/urlresolvers.py,
       added tests to tests/urlpatterns_reverse/urls.py,
       tests/urlpatterns_reverse/views.py.
     - CVE-2014-0472
 .
 python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: unexpected code execution using reverse()
     (LP: #1309779)
     - debian/patches/CVE-2014-0472.patch: added filtering to
       django/core/urlresolvers.py, added tests to
       tests/urlpatterns_reverse/nonimported_module.py,
       tests/urlpatterns_reverse/tests.py,
       tests/urlpatterns_reverse/urls.py,
       tests/urlpatterns_reverse/views.py.
     - CVE-2014-0472
   * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
     (LP: #1309782)
     - debian/patches/CVE-2014-0473.patch: don't cache responses with a
       cookie in django/middleware/cache.py, added tests to
       tests/cache/tests.py.
     - CVE-2014-0473
   * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
     - debian/patches/CVE-2014-0474.patch: convert arguments to correct
       type in django/db/models/fields/__init__.py, updated docs in
       docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
       docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
       tests/model_fields/tests.py.
     - CVE-2014-0474
 .
 python-django (1.6.1-2) unstable; urgency=medium
 .
   * Team upload.
   * d/patches/ticket21869.diff: Cherry pick upstream fix for building
     documentation against Sphinx 1.2.1.

Date: Tue, 22 Jul 2014 09:22:45 -0400
Changed-By: Scott Moser <smoser at ubuntu.com>
Signed-By: Scott Moser <smoser at ubuntu.com> 
Published-By: Scott Moser <smoser at ubuntu.com>

More information about the Cloud-tools-changes mailing list