[ubuntu/lucid-updates] python-django 1.1.1-2ubuntu1.13 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue Sep 16 12:29:20 UTC 2014 

python-django (1.1.1-2ubuntu1.13) lucid-security; urgency=medium

  * SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
    - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
      URLs pointing to other hosts in django/core/urlresolvers.py, added
      tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
    - CVE-2014-0480
  * SECURITY UPDATE: denial of service via file upload handling
    - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
      django/core/files/storage.py, updated docs in
      docs/howto/custom-file-storage.txt, added tests to
      tests/modeltests/files/models.py,
      tests/regressiontests/file_storage/tests.py, backport
      get_random_string() to django/utils/crypto.py.
    - CVE-2014-0481
  * SECURITY UPDATE: web session hijack via REMOTE_USER header
    - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
      logout on REMOTE_USE change in django/contrib/auth/middleware.py,
      added test to django/contrib/auth/tests/remote_user.py.
    - CVE-2014-0482
  * SECURITY UPDATE: data leak in contrib.admin via query string manipulation
    - debian/patches/CVE-2014-0483.patch: validate to_field in
      django/contrib/admin/{options,exceptions}.py,
      django/contrib/admin/views/main.py, added tests to
      tests/regressiontests/admin_views/tests.py.
    - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
      django/contrib/admin/options.py, added tests to
      tests/regressiontests/admin_views/{models,tests}.py.
    - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
      django/contrib/admin/options.py, added tests to
      tests/regressiontests/admin_views/{models,tests}.py.
    - CVE-2014-0483
  * debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Date: 2014-09-10 19:24:12.732371+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/lucid/+source/python-django/1.1.1-2ubuntu1.13
-------------- next part --------------
Sorry, changesfile not available.

More information about the Lucid-changes mailing list