~ubuntu-branches/ubuntu/precise/python-django/precise-updates

Viewing all changes in revision 42.

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2013-03-04 10:13:59 UTC
  • mfrom: (40.1.1 precise-security)
  • Revision ID: package-import@ubuntu.com-20130304101359-5p3ljw20ckif0h9c
Tags: 1.3.1-4ubuntu1.6
* SECURITY UPDATE: host header poisoning (LP: #1089337)
  - debian/patches/fix_get_host.patch: tighten host header validation in
    django/http/__init__.py, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
  - debian/patches/fix_redirect_poisoning.patch: tighten validation in
    django/contrib/auth/views.py,
    django/contrib/comments/views/comments.py,
    django/contrib/comments/views/moderation.py,
    django/contrib/comments/views/utils.py, django/utils/http.py,
    django/views/i18n.py, add tests to
    tests/regressiontests/comment_tests/tests/comment_view_tests.py,
    tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
    tests/regressiontests/views/tests/i18n.py.
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
  - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
    to django/conf/global_settings.py,
    django/conf/project_template/settings.py,
    django/http/__init__.py, django/test/utils.py, add docs to
    docs/ref/settings.txt, add tests to
    tests/regressiontests/requests/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
  - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
    and external entities/DTDs in
    django/core/serializers/xml_serializer.py, add tests to
    tests/regressiontests/serializers_regress/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-1664
  - CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
  - debian/patches/CVE-2013-0305.patch: add permission checks to history
    view in django/contrib/admin/options.py, add tests to
    tests/regressiontests/admin_views/tests.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
  - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
    django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
    docs/topics/forms/modelforms.txt, add tests to
    tests/regressiontests/forms/tests/formsets.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0306

expand all expand all

Show diffs side-by-side

added added

removed removed

Lines of Context: