[ubuntu/oneiric-security] python-django_1.3-2ubuntu1.1_i386_translations.tar.gz, python-django 1.3-2ubuntu1.1 (Accepted)
Jamie Strandboge
jamie at ubuntu.com
Fri Dec 9 00:06:23 UTC 2011
python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available. Also update to use a url opener
that does not support local file access
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Date: Mon, 28 Nov 2011 15:58:45 -0600
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/oneiric/+source/python-django/1.3-2ubuntu1.1
-------------- next part --------------
Format: 1.8
Date: Mon, 28 Nov 2011 15:58:45 -0600
Source: python-django
Binary: python-django python-django-doc
Architecture: source
Version: 1.3-2ubuntu1.1
Distribution: oneiric-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Changes:
python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low
.
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available. Also update to use a url opener
that does not support local file access
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Checksums-Sha1:
6fc74575354d9a4af68336a01133b290e4e98ee5 2230 python-django_1.3-2ubuntu1.1.dsc
a9f58fe013ebc9a0c627d717189fa95a3ccf4942 24646 python-django_1.3-2ubuntu1.1.debian.tar.gz
Checksums-Sha256:
34338f88f5e0b8dd6f689e9f8330d34805ff001c9a00075af6e7f6d57380446e 2230 python-django_1.3-2ubuntu1.1.dsc
8f83d0d1cf78f8efc8a6b04e62c56ae5932bd02fd515f0805305aeb3cf20c40d 24646 python-django_1.3-2ubuntu1.1.debian.tar.gz
Files:
e347b428d74d25513b23af0b429c7908 2230 python optional python-django_1.3-2ubuntu1.1.dsc
0518ec8951c24ac4322f732c962c14aa 24646 python optional python-django_1.3-2ubuntu1.1.debian.tar.gz
Original-Maintainer: Chris Lamb <lamby at debian.org>
More information about the Oneiric-changes
mailing list