[ubuntu-cloud-archive/cloud-tools-proposed] python-django (Accepted)

Scott Moser smoser at ubuntu.com
Fri Feb 6 16:06:06 UTC 2015 

 python-django (1.6.1-2ubuntu0.6~ctools0) precise; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-django (1.6.1-2ubuntu0.6) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation
     - debian/patches/CVE-2015-0219.patch: strip headers with underscores in
       django/core/servers/basehttp.py, added blurb to
       docs/howto/auth-remote-user.txt, added test to
       tests/servers/test_basehttp.py.
     - CVE-2015-0219
   * SECURITY UPDATE: Mitigated possible XSS attack via user-supplied
     redirect URLs
     - debian/patches/CVE-2015-0220.patch: filter url in
       django/utils/http.py, added test to tests/utils_tests/test_http.py.
     - CVE-2015-0220
   * SECURITY UPDATE: Denial-of-service attack against
     django.views.static.serve
     - debian/patches/CVE-2015-0221.patch: limit large files in
       django/views/static.py, added test to
       tests/view_tests/media/long-line.txt,
       tests/view_tests/tests/test_static.py.
     - CVE-2015-0221
   * SECURITY UPDATE: Database denial-of-service with
     ModelMultipleChoiceField
     - debian/patches/CVE-2015-0222.patch: check values in
       django/forms/models.py, added test to tests/model_forms/tests.py.
     - CVE-2015-0222
 .
 python-django (1.6.1-2ubuntu0.5) trusty-proposed; urgency=medium
 .
   * debian/patches/99_fix_multipart_base64_decoding_large_files.patch:
     Fix Multipart base64 file decoding with large files ensuring that the
     actual base64 content has a length a multiple of 4. (LP: #1363348)
   * debian/patches/
 .
 python-django (1.6.1-2ubuntu0.4) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
     - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
       URLs pointing to other hosts in django/core/urlresolvers.py, added
       tests to tests/urlpatterns_reverse/{tests,urls}.py.
     - CVE-2014-0480
   * SECURITY UPDATE: denial of service via file upload handling
     - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
       django/core/files/storage.py, updated docs in
       docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt,
       added tests to tests/file_storage/tests.py, tests/files/tests.py.
     - CVE-2014-0481
   * SECURITY UPDATE: web session hijack via REMOTE_USER header
     - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
       logout on REMOTE_USE change in django/contrib/auth/middleware.py,
       added test to django/contrib/auth/tests/test_remote_user.py.
     - CVE-2014-0482
   * SECURITY UPDATE: data leak in contrib.admin via query string manipulation
     - debian/patches/CVE-2014-0483.patch: validate to_field in
       django/contrib/admin/{options,exceptions}.py,
       django/contrib/admin/views/main.py, added docs to
       docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py.
     - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
       django/contrib/admin/options.py, added tests to
       tests/admin_views/{admin,models,tests}.py.
     - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
       django/contrib/admin/options.py, added tests to
       tests/admin_views/{admin,models,tests}.py.
     - CVE-2014-0483
 .
 python-django (1.6.1-2ubuntu0.3) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: cache coherency problems in old Internet Explorer
     compatibility functions lead to loss of privacy and cache poisoning
     attacks. (LP: #1317663)
     - debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary()
       and fix_IE_for_attach() functions so Cache-Control and Vary headers are
       no longer modified. This may introduce some regressions for IE 6 and IE 7
       users. Patch from upstream.
     - CVE-2014-1418
   * SECURITY UPDATE: The validation for redirects did not correctly validate
     some malformed URLs, which are accepted by some browsers. This allows a
     user to be redirected to an unsafe URL unexpectedly.
     - debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///',
       forbid URLs without a host but with a path. Patch from upstream.

Date: Fri, 06 Feb 2015 07:24:48 -0500
Changed-By: Scott Moser <smoser at ubuntu.com>
Signed-By: Scott Moser <smoser at ubuntu.com> 
Published-By: Scott Moser <smoser at ubuntu.com>

More information about the Cloud-tools-changes mailing list