← Back to branch summary

~ubuntu-branches/ubuntu/saucy/python-django/saucy-updates

~ubuntu-branches/ubuntu/saucy/python-django/saucy-updates

« back to all changes in this revision

Viewing changes to debian/changelog

Committer: Package Import Robot
Author(s): Seth Arnold
Date: 2014-05-14 11:00:30 UTC
Revision ID: package-import@ubuntu.com-20140514110030-yhmd7dx55yxd735g

Tags: 1.5.4-1ubuntu1.3

https://launchpad.net/bugs/1317663

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_5.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
  some malformed URLs, which are accepted by some browsers. This allows a
  user to be redirected to an unsafe URL unexpectedly.
  - debian/patches/is_safe_url_1_5.diff: Forbid URLs starting with '///',
    forbid URLs without a host but with a path. Patch from upstream.

files added:
.pc/drop_fix_ie_for_vary_1_5.diff

.pc/drop_fix_ie_for_vary_1_5.diff/django

.pc/drop_fix_ie_for_vary_1_5.diff/django/core

.pc/drop_fix_ie_for_vary_1_5.diff/django/core/handlers

.pc/drop_fix_ie_for_vary_1_5.diff/django/core/handlers/base.py

.pc/drop_fix_ie_for_vary_1_5.diff/django/http

.pc/drop_fix_ie_for_vary_1_5.diff/django/http/__init__.py

.pc/drop_fix_ie_for_vary_1_5.diff/django/http/utils.py

.pc/drop_fix_ie_for_vary_1_5.diff/tests

.pc/drop_fix_ie_for_vary_1_5.diff/tests/regressiontests

.pc/drop_fix_ie_for_vary_1_5.diff/tests/regressiontests/utils

.pc/drop_fix_ie_for_vary_1_5.diff/tests/regressiontests/utils/http.py

.pc/is_safe_url_1_5.diff

.pc/is_safe_url_1_5.diff/django

.pc/is_safe_url_1_5.diff/django/contrib

.pc/is_safe_url_1_5.diff/django/contrib/auth

.pc/is_safe_url_1_5.diff/django/contrib/auth/tests

.pc/is_safe_url_1_5.diff/django/contrib/auth/tests/views.py

.pc/is_safe_url_1_5.diff/django/utils

.pc/is_safe_url_1_5.diff/django/utils/http.py

.pc/is_safe_url_1_5.diff/tests

.pc/is_safe_url_1_5.diff/tests/regressiontests

.pc/is_safe_url_1_5.diff/tests/regressiontests/utils

.pc/is_safe_url_1_5.diff/tests/regressiontests/utils/http.py

debian/patches/drop_fix_ie_for_vary_1_5.diff

debian/patches/is_safe_url_1_5.diff

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

django/contrib/auth/tests/views.py

django/core/handlers/base.py

django/http/__init__.py

django/http/utils.py

django/utils/http.py

tests/regressiontests/utils/http.py

Show diffs side-by-side

added added

removed removed

debian/changelog

1

python-django (1.5.4-1ubuntu1.3) saucy-security; urgency=medium

2

3

* SECURITY UPDATE: cache coherency problems in old Internet Explorer

4

compatibility functions lead to loss of privacy and cache poisoning

5

attacks. (LP: #1317663)

6

- debian/patches/drop_fix_ie_for_vary_1_5.diff: remove fix_IE_for_vary()

7

and fix_IE_for_attach() functions so Cache-Control and Vary headers are

8

no longer modified. This may introduce some regressions for IE 6 and IE 7

9

users. Patch from upstream.

10

- CVE-2014-1418

11

* SECURITY UPDATE: The validation for redirects did not correctly validate

12

some malformed URLs, which are accepted by some browsers. This allows a

13

user to be redirected to an unsafe URL unexpectedly.

14

- debian/patches/is_safe_url_1_5.diff: Forbid URLs starting with '///',

15

forbid URLs without a host but with a path. Patch from upstream.

16

17

-- Seth Arnold <seth.arnold@canonical.com> Wed, 14 May 2014 11:00:30 -0700

18

1

19

python-django (1.5.4-1ubuntu1.2) saucy-security; urgency=medium

2

20

3

21

* SECURITY REGRESSION: security fix regression when a view is a partial

Older »