-
Committer:
Package Import Robot
-
Author(s):
Jamie Strandboge
-
Date:
2011-12-07 16:02:57 UTC
-
Revision ID:
package-import@ubuntu.com-20111207160257-qf1eipsdrelza8ky
Tags: 1.1.1-2ubuntu1.4
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available.
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/