[ubuntu-cloud-archive/folsom-proposed] python-django (Accepted)

James Page james.page at ubuntu.com
Mon Mar 11 09:08:18 UTC 2013 

 python-django (1.4.1-2ubuntu0.3~cloud0) precise-folsom; urgency=low
 .
   * New security update for the Ubuntu Cloud Archive.
 .
 python-django (1.4.1-2ubuntu0.3) quantal-security; urgency=low
 .
   * SECURITY UPDATE: host header poisoning (LP: #1089337)
     - debian/patches/fix_get_host.patch: tighten host header validation in
       django/http/__init__.py, add info to docs/topics/security.txt, add
       tests to tests/regressiontests/requests/tests.py.
     - https://www.djangoproject.com/weblog/2012/dec/10/security/
     - No CVE number
   * SECURITY UPDATE: redirect poisoning (LP: #1089337)
     - debian/patches/fix_redirect_poisoning.patch: tighten validation in
       django/contrib/auth/views.py,
       django/contrib/comments/views/comments.py,
       django/contrib/comments/views/moderation.py,
       django/contrib/comments/views/utils.py, django/utils/http.py,
       django/views/i18n.py, add tests to
       tests/regressiontests/comment_tests/tests/comment_view_tests.py,
       tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
       tests/regressiontests/views/tests/i18n.py.
     - https://www.djangoproject.com/weblog/2012/dec/10/security/
     - No CVE number
   * SECURITY UPDATE: host header poisoning (LP: #1130445)
     - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
       to django/conf/global_settings.py,
       django/conf/project_template/project_name/settings.py,
       django/contrib/auth/tests/views.py,
       django/contrib/contenttypes/tests.py, django/contrib/sites/tests.py,
       django/http/__init__.py, django/test/utils.py, add docs to
       docs/ref/settings.txt, docs/topics/security.txt, add tests to
       tests/regressiontests/csrf_tests/tests.py,
       tests/regressiontests/requests/tests.py.
     - https://www.djangoproject.com/weblog/2013/feb/19/security/
     - No CVE number
   * SECURITY UPDATE: XML attacks (LP: #1130445)
     - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
       and external entities/DTDs in
       django/core/serializers/xml_serializer.py, add tests to
       tests/regressiontests/serializers_regress/tests.py.
     - https://www.djangoproject.com/weblog/2013/feb/19/security/
     - CVE-2013-1664
     - CVE-2013-1665
   * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
     - debian/patches/CVE-2013-0305.patch: add permission checks to history
       view in django/contrib/admin/options.py, add tests to
       tests/regressiontests/admin_views/tests.py.
     - https://www.djangoproject.com/weblog/2013/feb/19/security/
     - CVE-2013-0305
   * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
     - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
       django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
       docs/topics/forms/modelforms.txt, add tests to
       tests/regressiontests/forms/tests/formsets.py,
       tests/regressiontests/generic_inline_admin/tests.py.
     - https://www.djangoproject.com/weblog/2013/feb/19/security/
     - CVE-2013-0306

Date: Thu, 07 Mar 2013 08:39:43 -0800
Changed-By: Adam Gandelman <adamg at ubuntu.com>
Signed-By: Adam Gandelman
Published-By: James Page <james.page at ubuntu.com>

More information about the Cloud-archive-changes mailing list