[ubuntu/vivid-proposed] python-django 1.6.6-1ubuntu3 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Tue Jan 13 20:04:14 UTC 2015 

python-django (1.6.6-1ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
    - debian/patches/CVE-2015-0219.patch: strip headers with underscores in
      django/core/servers/basehttp.py, added blurb to
      docs/howto/auth-remote-user.txt, added test to
      tests/servers/test_basehttp.py.
    - CVE-2015-0219
  * SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
    redirect URLs
    - debian/patches/CVE-2015-0220.patch: filter url in
      django/utils/http.py, added test to tests/utils_tests/test_http.py.
    - CVE-2015-0220
  * SECURITY UPDATE: Denial-of-service attack against
    django.views.static.serve
    - debian/patches/CVE-2015-0221.patch: limit large files in
      django/views/static.py, added test to
      tests/view_tests/media/long-line.txt,
      tests/view_tests/tests/test_static.py.
    - CVE-2015-0221
  * SECURITY UPDATE: Database denial-of-service with
    ModelMultipleChoiceField
    - debian/patches/CVE-2015-0222.patch: check values in
      django/forms/models.py, added test to tests/model_forms/tests.py.
    - CVE-2015-0222

Date: Tue, 13 Jan 2015 07:32:43 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/python-django/1.6.6-1ubuntu3
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Jan 2015 07:32:43 -0500
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source
Version: 1.6.6-1ubuntu3
Distribution: vivid
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 python-django - High-level Python web development framework
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework
Changes:
 python-django (1.6.6-1ubuntu3) vivid; urgency=medium
 .
   * SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
     - debian/patches/CVE-2015-0219.patch: strip headers with underscores in
       django/core/servers/basehttp.py, added blurb to
       docs/howto/auth-remote-user.txt, added test to
       tests/servers/test_basehttp.py.
     - CVE-2015-0219
   * SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
     redirect URLs
     - debian/patches/CVE-2015-0220.patch: filter url in
       django/utils/http.py, added test to tests/utils_tests/test_http.py.
     - CVE-2015-0220
   * SECURITY UPDATE: Denial-of-service attack against
     django.views.static.serve
     - debian/patches/CVE-2015-0221.patch: limit large files in
       django/views/static.py, added test to
       tests/view_tests/media/long-line.txt,
       tests/view_tests/tests/test_static.py.
     - CVE-2015-0221
   * SECURITY UPDATE: Database denial-of-service with
     ModelMultipleChoiceField
     - debian/patches/CVE-2015-0222.patch: check values in
       django/forms/models.py, added test to tests/model_forms/tests.py.
     - CVE-2015-0222
Checksums-Sha1:
 7a4472101004c2c80b6c58bb06cf8b63f003f128 2516 python-django_1.6.6-1ubuntu3.dsc
 29da1efbb78d897f7f99b6896056d88c226edc05 26600 python-django_1.6.6-1ubuntu3.debian.tar.xz
Checksums-Sha256:
 73e5aa5b928632d801ee85fa4d088e9e385de42b894ec2c9c38809e7b82886de 2516 python-django_1.6.6-1ubuntu3.dsc
 fda73a54268e1a9cea2569bf6d108db55f9c1967a0e47473da14e2c4b706bfaf 26600 python-django_1.6.6-1ubuntu3.debian.tar.xz
Files:
 de23feecf678d089ccbaa9300b7d17c8 2516 python optional python-django_1.6.6-1ubuntu3.dsc
 1e965ecbbc59d6a60a64b1ead7184d82 26600 python optional python-django_1.6.6-1ubuntu3.debian.tar.xz
Original-Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUtXgzAAoJEGVp2FWnRL6T7GsQAJUA4TE3dVhQCJwa4I0gZu8/
JCpCJzyAX734S1i6BjSlTzI3OubajVFT+jiLRw/MMqiFpcHhwe2DpsF5R/1YM2Bt
OEi2figRXa6vwGZrCrkdaWtyyvR0XbpGj7hwDJnrxNKUc2f/RPpJMs3gZWJg12En
2YSx6Gv0Y3bviXsZ8w42AR1lEqmiSXD+RzkXUixkJpZr7OAxx/laOsN3Ixe2MgKA
N8AjjoILOI67TM7eaMHKVdouUgvqb645ELWxSwuMjt/Z9WVHqCSSvGeVPU0xXKmj
BsiH60oPG61WSo4vc6iIpaOQV4x5uZ1Uof16LlMxDeOQpk5VaHK93XdN71w5hSBZ
bwFq05GHrmCeyOpJAk2ET3MADjV2bUxqzBIxeZYxEGDLPVk46sv9SG27LjYoRDec
vgZymNltu2mqHQ/FDPIa0OOau/bjkr5lVI6JfAHoEhjh3lpXEku8fFdIIGS8ACtT
gDE0eHT9CNOXnTAqqnNCeBugxn+6jithbiUjfoqztwrBqX5DZs5XCooUiz1/MRY/
z910PQCw20qDyNLXZOF2AvhGWoWQghm8nwULPjacHafClZt3p7aJT7SONR99Pyk8
U/Esm2ns0eMQXa5CCB4mPA9fA6eX86/yD2VbEaO5yaAf8j/ofSgnoAbb6R3T4MWQ
wCXUQv8NlY3s1taS5sWu
=zOOm
-----END PGP SIGNATURE-----

More information about the Vivid-changes mailing list