[ubuntu/natty-security] python-django_1.2.5-1ubuntu1.1_i386_translations.tar.gz, python-django 1.2.5-1ubuntu1.1 (Accepted)

[Jamie Strandboge]

python-django (1.2.5-1ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: session manipulation when using django.contrib.sessions
    with memory-based sessions and caching
    - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
      for session instead of root namespace
    - CVE-2011-4136
  * SECURITY UPDATE: potential denial of service and information disclosure in
    URLField
    - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
      default and use a timeout if available.
    - CVE-2011-4137, CVE-2011-4138
  * SECURITY UPDATE: potential cache-poisoning via crafted Host header
    - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
      default when constructing full URLs
    - CVE-2011-4139
  * More information on these issues can be found at:
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Date: Wed, 07 Dec 2011 15:28:04 -0600
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/natty/+source/python-django/1.2.5-1ubuntu1.1
-------------- next part --------------
Format: 1.8
Date: Wed, 07 Dec 2011 15:28:04 -0600
Source: python-django
Binary: python-django python-django-doc
Architecture: source
Version: 1.2.5-1ubuntu1.1
Distribution: natty-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Changes: 
 python-django (1.2.5-1ubuntu1.1) natty-security; urgency=low
 .
   * SECURITY UPDATE: session manipulation when using django.contrib.sessions
     with memory-based sessions and caching
     - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
       for session instead of root namespace
     - CVE-2011-4136
   * SECURITY UPDATE: potential denial of service and information disclosure in
     URLField
     - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
       default and use a timeout if available.
     - CVE-2011-4137, CVE-2011-4138
   * SECURITY UPDATE: potential cache-poisoning via crafted Host header
     - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
       default when constructing full URLs
     - CVE-2011-4139
   * More information on these issues can be found at:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Checksums-Sha1: 
 53629a1160745104f2316ed3c9f94170b5a0444c 2244 python-django_1.2.5-1ubuntu1.1.dsc
 f49ddc01932dcb1f743c390e357b507d8e8bf28b 21935 python-django_1.2.5-1ubuntu1.1.debian.tar.gz
Checksums-Sha256: 
 a410f9d5497a2b69bf9e635d15e9ec234970763ca4b919dd4ee1e72ad95c0abb 2244 python-django_1.2.5-1ubuntu1.1.dsc
 fec6db8ca32fd76e37e292567cf1db7d5ca8fff73a4f76a4af80180247e74893 21935 python-django_1.2.5-1ubuntu1.1.debian.tar.gz
Files: 
 1f6f9135ddeb95772cf0815779ef77c1 2244 python optional python-django_1.2.5-1ubuntu1.1.dsc
 c5d301873595794b01614dfb90c8f923 21935 python optional python-django_1.2.5-1ubuntu1.1.debian.tar.gz
Original-Maintainer: Chris Lamb <lamby at debian.org>