[ubuntu/oneiric-security] python-django_1.3-2ubuntu1.1_i386_translations.tar.gz, python-django 1.3-2ubuntu1.1 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Dec 9 00:06:23 UTC 2011 

python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: session manipulation when using django.contrib.sessions
    with memory-based sessions and caching
    - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
      for session instead of root namespace
    - CVE-2011-4136
  * SECURITY UPDATE: potential denial of service and information disclosure in
    URLField
    - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
      default and use a timeout if available. Also update to use a url opener
      that does not support local file access
    - CVE-2011-4137, CVE-2011-4138
  * SECURITY UPDATE: potential cache-poisoning via crafted Host header
    - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
      default when constructing full URLs
    - CVE-2011-4139
  * More information on these issues can be found at:
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Date: Mon, 28 Nov 2011 15:58:45 -0600
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/oneiric/+source/python-django/1.3-2ubuntu1.1
-------------- next part --------------
Format: 1.8
Date: Mon, 28 Nov 2011 15:58:45 -0600
Source: python-django
Binary: python-django python-django-doc
Architecture: source
Version: 1.3-2ubuntu1.1
Distribution: oneiric-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Changes: 
 python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low
 .
   * SECURITY UPDATE: session manipulation when using django.contrib.sessions
     with memory-based sessions and caching
     - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
       for session instead of root namespace
     - CVE-2011-4136
   * SECURITY UPDATE: potential denial of service and information disclosure in
     URLField
     - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
       default and use a timeout if available. Also update to use a url opener
       that does not support local file access
     - CVE-2011-4137, CVE-2011-4138
   * SECURITY UPDATE: potential cache-poisoning via crafted Host header
     - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
       default when constructing full URLs
     - CVE-2011-4139
   * More information on these issues can be found at:
     https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Checksums-Sha1: 
 6fc74575354d9a4af68336a01133b290e4e98ee5 2230 python-django_1.3-2ubuntu1.1.dsc
 a9f58fe013ebc9a0c627d717189fa95a3ccf4942 24646 python-django_1.3-2ubuntu1.1.debian.tar.gz
Checksums-Sha256: 
 34338f88f5e0b8dd6f689e9f8330d34805ff001c9a00075af6e7f6d57380446e 2230 python-django_1.3-2ubuntu1.1.dsc
 8f83d0d1cf78f8efc8a6b04e62c56ae5932bd02fd515f0805305aeb3cf20c40d 24646 python-django_1.3-2ubuntu1.1.debian.tar.gz
Files: 
 e347b428d74d25513b23af0b429c7908 2230 python optional python-django_1.3-2ubuntu1.1.dsc
 0518ec8951c24ac4322f732c962c14aa 24646 python optional python-django_1.3-2ubuntu1.1.debian.tar.gz
Original-Maintainer: Chris Lamb <lamby at debian.org>

More information about the Oneiric-changes mailing list