~ubuntu-branches/ubuntu/lucid/python-django/lucid-security : changes

~ubuntu-branches/ubuntu/lucid/python-django/lucid-security » Changes from revision 39

From Revision 39 to 20

Rev	Summary	Authors	Tags	Date
39	* SECURITY UPDATE: incorrect url validation in core.urlresol... * SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating URLs pointing to other hosts in django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py. - CVE-2014-0480 * SECURITY UPDATE: denial of service via file upload handling - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in django/core/files/storage.py, updated docs in docs/howto/custom-file-storage.txt, added tests to tests/modeltests/files/models.py, tests/regressiontests/file_storage/tests.py, backport get_random_string() to django/utils/crypto.py. - CVE-2014-0481 * SECURITY UPDATE: web session hijack via REMOTE_USER header - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to logout on REMOTE_USE change in django/contrib/auth/middleware.py, added test to django/contrib/auth/tests/remote_user.py. - CVE-2014-0482 * SECURITY UPDATE: data leak in contrib.admin via query string manipulation - debian/patches/CVE-2014-0483.patch: validate to_field in django/contrib/admin/{options,exceptions}.py, django/contrib/admin/views/main.py, added tests to tests/regressiontests/admin_views/tests.py. - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in django/contrib/admin/options.py, added tests to tests/regressiontests/admin_views/{models,tests}.py. - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in django/contrib/admin/options.py, added tests to tests/regressiontests/admin_views/{models,tests}.py. - CVE-2014-0483 * debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.	Marc Deslauriers	1.1.1-2ubuntu1.13	10 years ago
38	* SECURITY UPDATE: cache coherency problems in old Internet ... * SECURITY UPDATE: cache coherency problems in old Internet Explorer compatibility functions lead to loss of privacy and cache poisoning attacks. (LP: #1317663) - debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary() and fix_IE_for_attach() functions so Cache-Control and Vary headers are no longer modified. This may introduce some regressions for IE 6 and IE 7 users. Patch from upstream. - CVE-2014-1418	Seth Arnold	1.1.1-2ubuntu1.12	10 years ago
37	* SECURITY REGRESSION: security fix regression when a view i... * SECURITY REGRESSION: security fix regression when a view is a partial (LP: #1311433) - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str from the original function whenever a partial is provided as an argument to a url pattern in django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/urls.py, tests/regressiontests/urlpatterns_reverse/views.py. - CVE-2014-0472	Marc Deslauriers	1.1.1-2ubuntu1.11	10 years ago
36	* SECURITY UPDATE: unexpected code execution using reverse() * SECURITY UPDATE: unexpected code execution using reverse() (LP: #1309779) - debian/patches/CVE-2014-0472.patch: added filtering to django/core/urlresolvers.py, added tests to tests/regressiontests/urlpatterns_reverse/nonimported_module.py, tests/regressiontests/urlpatterns_reverse/tests.py, tests/regressiontests/urlpatterns_reverse/urls.py, tests/regressiontests/urlpatterns_reverse/views.py. - CVE-2014-0472 * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token (LP: #1309782) - debian/patches/CVE-2014-0473.patch: don't cache responses with a cookie in django/middleware/cache.py, backport has_vary_header() to django/utils/cache.py. - CVE-2014-0473 * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784) - debian/patches/CVE-2014-0474.patch: convert arguments to correct type in django/db/models/fields/__init__.py, added tests to tests/regressiontests/model_fields/tests.py. - CVE-2014-0474	Marc Deslauriers	1.1.1-2ubuntu1.10	10 years ago
35	* SECURITY UPDATE: denial of service via long passwords (LP:... * SECURITY UPDATE: denial of service via long passwords (LP: #1225784) - debian/patches/CVE-2013-1443.patch: enforce a maximum password length in django/contrib/auth/forms.py, django/contrib/auth/models.py, django/contrib/auth/tests/basic.py. - CVE-2013-1443 * SECURITY UPDATE: directory traversal with ssi template tag - debian/patches/CVE-2013-4315.patch: properly check absolute path in django/template/defaulttags.py, tests/regressiontests/templates/tests.py, tests/regressiontests/templates/templates/. - CVE-2013-4315 SECURITY UPDATE: possible XSS via is_safe_url - debian/patches/security-is_safe_url.patch: properly reject URLs which specify a scheme other then HTTP or HTTPS. - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ - No CVE number	Marc Deslauriers	1.1.1-2ubuntu1.9	11 years ago
34	* SECURITY UPDATE: host header poisoning (LP: #1089337) * SECURITY UPDATE: host header poisoning (LP: #1089337) - debian/patches/fix_get_host.patch: tighten host header validation in django/http/__init__.py, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: redirect poisoning (LP: #1089337) - debian/patches/fix_redirect_poisoning.patch: tighten validation in django/contrib/auth/views.py, django/contrib/comments/views/comments.py, django/contrib/comments/views/moderation.py, django/contrib/comments/views/utils.py, django/utils/http.py, django/views/i18n.py, add tests to tests/regressiontests/comment_tests/tests/comment_view_tests.py, tests/regressiontests/comment_tests/tests/moderation_view_tests.py, tests/regressiontests/views/tests/i18n.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: host header poisoning (LP: #1130445) - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting to django/conf/global_settings.py, django/conf/project_template/settings.py, django/http/__init__.py, django/test/utils.py, add docs to docs/ref/settings.txt, add tests to tests/regressiontests/requests/tests.py, backport required function to django/utils/functional.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - No CVE number * SECURITY UPDATE: XML attacks (LP: #1130445) - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion, and external entities/DTDs in django/core/serializers/xml_serializer.py, add tests to tests/regressiontests/serializers_regress/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-1664 - CVE-2013-1665 * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445) - debian/patches/CVE-2013-0305.patch: add permission checks to history view in django/contrib/admin/options.py, add tests to tests/regressiontests/admin_views/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0305 * SECURITY UPDATE: Formset denial-of-service (LP: #1130445) - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0306	Marc Deslauriers	1.1.1-2ubuntu1.8	12 years ago
33	* Add additional tests for CVE-2012-4520 * Add additional tests for CVE-2012-4520 - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned host header test material * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500 - https://code.djangoproject.com/ticket/19172 - LP: #1080204	Jamie Strandboge	1.1.1-2ubuntu1.7	12 years ago
32	* SECURITY UPDATE: fix Host header poisoning * SECURITY UPDATE: fix Host header poisoning - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to raise django.core.exceptions.SuspiciousOperation if Host headers contain potentially dangerous content. - CVE-2012-4520 - LP: #1068486	Jamie Strandboge	1.1.1-2ubuntu1.6	12 years ago
31	* SECURITY UPDATE: Cross-site scripting in authentication vi... * SECURITY UPDATE: Cross-site scripting in authentication views (LP: #1031733) - debian/patches/16_fix_cross_site_scripting_in_authentication.diff: fix unsafe redirects indjango/http/__init__.py. Patch backported from Debian Squeeze and fixed for python 2.4 compatibility. - CVE-2012-3442 * SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733) - debian/patches/17_fix_dos_in_image_validation.diff: call verify() immediately after the constructor in django/forms/fields.py. - CVE-2012-3443 * SECURITY UPDATE: Denial-of-service via get_image_dimensions() (LP: #1031733) - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit chunk size in django/core/files/images.py. - CVE-2012-3444	Marc Deslauriers	1.1.1-2ubuntu1.5	12 years ago
30	* SECURITY UPDATE: session manipulation when using django.co... * SECURITY UPDATE: session manipulation when using django.contrib.sessions with memory-based sessions and caching - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys for session instead of root namespace - CVE-2011-4136 * SECURITY UPDATE: potential denial of service and information disclosure in URLField - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by default and use a timeout if available. - CVE-2011-4137, CVE-2011-4138 * SECURITY UPDATE: potential cache-poisoning via crafted Host header - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by default when constructing full URLs - CVE-2011-4139 * More information on these issues can be found at: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/	Jamie Strandboge	1.1.1-2ubuntu1.4	13 years ago
29	* SECURITY UPDATE: flaw in CSRF handling (LP: #719031) * SECURITY UPDATE: flaw in CSRF handling (LP: #719031) - debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all requests, regardless of apparent AJAX origin. This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case. See the Django project notes for more information: http://www.djangoproject.com/weblog/2011/feb/08/security/ - CVE-2011-0696 * SECURITY UPDATE: potential XSS in file field rendering - debian/patches/11_CVE-2011-0697.diff: properly escape URL in django/contrib/admin/widgets.py - CVE-2011-0697	Jamie Strandboge	1.1.1-2ubuntu1.3	14 years ago
28	* SECURITY UPDATE: information leak in admin interface * SECURITY UPDATE: information leak in admin interface - debian/patches/08_security_admin_infoleak.diff: validate querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly whitelisted. - CVE-2010-4534 * SECURITY UPDATE: - debian/patches/09_security_pasword_reset_dos.diff: adjust base36_to_int() function in django.utils.http will now validate the length of its input; on input longer than 13 digits (sufficient to base36-encode any 64-bit integer), it will now raise ValueError. Additionally, the default URL patterns for django.contrib.auth will now enforce a maximum length on the relevant parameters. - CVE-2010-4535	Jamie Strandboge	1.1.1-2ubuntu1.2	14 years ago
27	Fix django test client cookie handling. Fix django test client cookie handling.	James Westby	1.1.1-2ubuntu1	15 years ago
26	* Remove embedded "decimal" code copy and use system version... * Remove embedded "decimal" code copy and use system version instead. The "doctest" code copy cannot be removed as parts of Django depend on modified behaviour. (Closes: #555419) * Fix FTBFS in November by applying patch from upstream bug #12125. (Closes: #555931) * Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993. (Closes: #555969)	Chris Lamb	1.1.1-2	15 years ago
25	* Merge python-django 1.1.1-1 from debian unstable (LP: #447... * Merge python-django 1.1.1-1 from debian unstable (LP: #447617) for security and bug fixes, all Ubuntu changes merged by Debian. * Add to debian/patches: - 20_python2.6.3_regression.patch - backported upstream commit 11620 to make Django work with Python 2.6.3 properly. (LP: #445639)	Krzysztof Klimonda	1.1.1-1ubuntu1	15 years ago
24	* debian/patches/20_disable_url_verify_regression_tests.diff * debian/patches/20_disable_url_verify_regression_tests.diff - Disable regression tests that require internet connection.	Krzysztof Klimonda	1.1-2ubuntu1	15 years ago
23	* Run testsuite on build. * Run testsuite on build. * Use "--with quilt" over specifying $(QUILT_STAMPFN)/unpatch dependencies. * Override clean target correctly.	Chris Lamb	1.1-2	15 years ago
22	* New upstream release. * New upstream release. * Merge from experimental: - Ship FastCGI initscript and /etc/default file in python-django's examples directory (Closes: #538863) - Drop "05_10539-sphinx06-compatibility.diff"; it has been applied upstream. - Bump Standards-Version to 3.8.2.	Chris Lamb	1.1-1	15 years ago
21	Fix compatibility with Python 2.6 and Python transitions in ... Fix compatibility with Python 2.6 and Python transitions in general. Thanks to Krzysztof Klimonda <kklimonda@syntaxhighlighted.com>.	Chris Lamb	1.0.2-7	15 years ago
20	Python 2.6 transition. Python 2.6 transition.	Michael Bienia	1.0.2-5ubuntu1	15 years ago

Older »