[Bug 1089337] Re: Please backport Django 1.3.5/1.4.3 security updates
Launchpad Bug Tracker
1089337 at bugs.launchpad.net
Thu Mar 7 15:23:12 UTC 2013
This bug was fixed in the package python-django - 1.3-2ubuntu1.6
---------------
python-django (1.3-2ubuntu1.6) oneiric-security; urgency=low
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/fix_get_host.patch: tighten host header validation in
django/http/__init__.py, add tests to
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/fix_redirect_poisoning.patch: tighten validation in
django/contrib/auth/views.py,
django/contrib/comments/views/comments.py,
django/contrib/comments/views/moderation.py,
django/contrib/comments/views/utils.py, django/utils/http.py,
django/views/i18n.py, add tests to
tests/regressiontests/comment_tests/tests/comment_view_tests.py,
tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
tests/regressiontests/views/tests/i18n.py.
- https://www.djangoproject.com/weblog/2012/dec/10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_settings.py,
django/conf/project_template/settings.py,
django/http/__init__.py, django/test/utils.py, add docs to
docs/ref/settings.txt, add tests to
tests/regressiontests/requests/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializers/xml_serializer.py, add tests to
tests/regressiontests/serializers_regress/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/CVE-2013-0305.patch: add permission checks to history
view in django/contrib/admin/options.py, add tests to
tests/regressiontests/admin_views/tests.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
docs/topics/forms/modelforms.txt, add tests to
tests/regressiontests/forms/tests/formsets.py.
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- CVE-2013-0306
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Mon, 04 Mar 2013 10:33:54 -0500
** Changed in: python-django (Ubuntu Oneiric)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0305
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0306
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1665
** Changed in: python-django (Ubuntu Lucid)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1089337
Title:
Please backport Django 1.3.5/1.4.3 security updates
Status in “python-django” package in Ubuntu:
Fix Released
Status in “python-django” source package in Lucid:
Fix Released
Status in “python-django” source package in Oneiric:
Fix Released
Status in “python-django” source package in Precise:
Confirmed
Status in “python-django” source package in Quantal:
Fix Released
Status in “python-django” source package in Raring:
Fix Released
Bug description:
Django released new versions 1.3.5 and 1.4.3 recently with some security updates:
https://www.djangoproject.com/weblog/2012/dec/10/security/
Please backport these fixes to Ubuntu releases.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1089337/+subscriptions
More information about the foundations-bugs
mailing list