[ubuntu/maverick-security] python-django_1.2.3-1ubuntu0.2.10.10.3_i386_translations.tar.gz, python-django 1.2.3-1ubuntu0.2.10.10.3 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Dec 9 00:07:33 UTC 2011 

python-django (1.2.3-1ubuntu0.2.10.10.3) maverick-security; urgency=low

  * SECURITY UPDATE: session manipulation when using django.contrib.sessions
    with memory-based sessions and caching
    - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
      for session instead of root namespace
    - CVE-2011-4136
  * SECURITY UPDATE: potential denial of service and information disclosure in
    URLField
    - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
      default and use a timeout if available.
    - CVE-2011-4137, CVE-2011-4138
  * SECURITY UPDATE: potential cache-poisoning via crafted Host header
    - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
      default when constructing full URLs
    - CVE-2011-4139
  * debian/patches/01_disable_url_verify_regression_tests.diff: remove the
    test_correct_url_but_nonexisting_gives_404() test from the
    modeltests/validation/tests.py too. Not sure how it passed before, but
    this makes the CVE-2011-4137+4138.patch consistent with our other releases
    since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
  * More information on these issues can be found at:
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Date: Wed, 07 Dec 2011 15:52:55 -0600
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/maverick/+source/python-django/1.2.3-1ubuntu0.2.10.10.3
-------------- next part --------------
Format: 1.8
Date: Wed, 07 Dec 2011 15:52:55 -0600
Source: python-django
Binary: python-django python-django-doc
Architecture: source
Version: 1.2.3-1ubuntu0.2.10.10.3
Distribution: maverick-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Changes: 
 python-django (1.2.3-1ubuntu0.2.10.10.3) maverick-security; urgency=low
 .
   * SECURITY UPDATE: session manipulation when using django.contrib.sessions
     with memory-based sessions and caching
     - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
       for session instead of root namespace
     - CVE-2011-4136
   * SECURITY UPDATE: potential denial of service and information disclosure in
     URLField
     - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
       default and use a timeout if available.
     - CVE-2011-4137, CVE-2011-4138
   * SECURITY UPDATE: potential cache-poisoning via crafted Host header
     - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
       default when constructing full URLs
     - CVE-2011-4139
   * debian/patches/01_disable_url_verify_regression_tests.diff: remove the
     test_correct_url_but_nonexisting_gives_404() test from the
     modeltests/validation/tests.py too. Not sure how it passed before, but
     this makes the CVE-2011-4137+4138.patch consistent with our other releases
     since the upstream fix for CVE-2011-4137+4138.patch removed this test too.
   * More information on these issues can be found at:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Checksums-Sha1: 
 50d688f1893507945b60a2f1dc3e6debd09cc9f5 2276 python-django_1.2.3-1ubuntu0.2.10.10.3.dsc
 6aef5f5d8c71083f0c3080e3fd3617758f6e1f55 32315 python-django_1.2.3-1ubuntu0.2.10.10.3.debian.tar.gz
Checksums-Sha256: 
 6a6e320dc361b713f2b758150d0fdc6fda0e6c1535b7dad8f8ac23154be9e0fe 2276 python-django_1.2.3-1ubuntu0.2.10.10.3.dsc
 b30545f312eba6117bb997d5f8c334fdd834fc0441de38a7bc8d82629ce0f9b0 32315 python-django_1.2.3-1ubuntu0.2.10.10.3.debian.tar.gz
Files: 
 b92e4393be0023d080432da5589c22c1 2276 python optional python-django_1.2.3-1ubuntu0.2.10.10.3.dsc
 bc3bbb61466bcc5e12e65b624eccd98a 32315 python optional python-django_1.2.3-1ubuntu0.2.10.10.3.debian.tar.gz
Original-Maintainer: Chris Lamb <lamby at debian.org>

More information about the Maverick-changes mailing list