[ubuntu/lucid-updates] python-django 1.1.1-2ubuntu1.8 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Mar 7 15:59:13 UTC 2013


python-django (1.1.1-2ubuntu1.8) lucid-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/settings.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, add tests to
      tests/regressiontests/requests/tests.py, backport required function
      to django/utils/functional.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306

Date: 2013-03-05 02:15:18.793439+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/lucid/+source/python-django/1.1.1-2ubuntu1.8
-------------- next part --------------
Sorry, changesfile not available.


More information about the Lucid-changes mailing list