Ubuntu
python-django package

Django security update 1.3.2

Bug #1031733 reported by Marti
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Marc Deslauriers
Natty
Fix Released
Undecided
Marc Deslauriers
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
High
Marc Deslauriers
Ubuntu precise-updates
Quantal
Fix Released
Undecided
Unassigned

Bug Description

The Django project released a security update 1.3.2 on July 30, please update this in Ubuntu precise.

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/

In particular, Django security releases should be coordinated with the distributors: "If you are or represent a third-party distributor of Django and did not receive a notification email regarding this announcement from the Django release manager, please contact <email address hidden>."

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-django 1.3.1-4ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-26.41-virtual 3.2.19
Uname: Linux 3.2.0-26-virtual x86_64
ApportVersion: 2.0.1-0ubuntu11
Architecture: amd64
Date: Wed Aug 1 14:35:05 2012
InstallationMedia: Ubuntu-Server 11.04 "Natty Narwhal" - Release amd64 (20110426)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/usr/bin/zsh
SourcePackage: python-django
UpgradeStatus: Upgraded to precise on 2012-05-03 (89 days ago)

Revision history for this message
Marti (intgr) wrote :
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status: New → Confirmed
Revision history for this message
James Bennett (ubernostrum) wrote :

Quick heads-up: a Python 2.4 compatibility issue has been found in the 1.3.2 package. A patch has landed upstream:

https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416

And we (Django) will be issuing 1.3.3 as a bugfix release for this within the next 24 hours.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in 1.4.1, which is in quantal

Changed in python-django (Ubuntu Quantal):
status: Confirmed → Fix Released
Changed in python-django (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → precise-updates
Revision history for this message
Scott Kitterman (kitterman) wrote :

Since there are non-security changes in 1.3.2/3, we'll cherrypick just the commits for precise and oneiric. Debian has 1.2 patches we can use for natty. I did not check applicability to hardy or lucid.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fix for precise.

Changed in python-django (Ubuntu Precise):
status: In Progress → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

I did build the package. Given the upstream test suite that runs during build, I think that should be sufficient given that the change is the exact upstream change.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, Scott, I'll review and push.

Changed in python-django (Ubuntu Precise):
assignee: Scott Kitterman (kitterman) → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu Natty):
status: New → Confirmed
Changed in python-django (Ubuntu Oneiric):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Precise):
assignee: Steve Beattie (sbeattie) → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Lucid):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.2

---------------
python-django (1.3.1-4ubuntu1.2) precise-security; urgency=high

  [ Scott Kitterman ]
  * SECURITY UPDATE: multiple issues (LP: #1031733)
  * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
    https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
  * New upstream release to address three security issues:
    - Cross-site scripting in authentication views
    - Denial-of-service in image validation
    - Denial-of-service via get_image_dimensions()
  * Added debian/patches/security_http_redirects,
    security_image_uploading_two, and security_image_uploading cherry picked
    from upstream git

  [ Marc Deslauriers ]
  * debian/patches/security_http_redirects: remove unrelated changes, add
    python 2.4 regression fix.
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 08:36:28 -0400

Changed in python-django (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.5

---------------
python-django (1.1.1-2ubuntu1.5) lucid-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting in authentication views
    (LP: #1031733)
    - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
      fix unsafe redirects indjango/http/__init__.py. Patch backported from
      Debian Squeeze and fixed for python 2.4 compatibility.
    - CVE-2012-3442
  * SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
    - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
      immediately after the constructor in django/forms/fields.py.
    - CVE-2012-3443
  * SECURITY UPDATE: Denial-of-service via get_image_dimensions()
    (LP: #1031733)
    - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
      chunk size in django/core/files/images.py.
    - CVE-2012-3444
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:56:37 -0400

Changed in python-django (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.2.5-1ubuntu1.2

---------------
python-django (1.2.5-1ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting in authentication views
    (LP: #1031733)
    - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
      fix unsafe redirects indjango/http/__init__.py, add test case to
      tests/regressiontests/httpwrappers/tests.py. Patch backport taken
      from Debian Squeeze and fixed for python 2.4 compatibility.
    - CVE-2012-3442
  * SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
    - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
      immediately after the constructor in django/forms/fields.py.
    - CVE-2012-3443
  * SECURITY UPDATE: Denial-of-service via get_image_dimensions()
    (LP: #1031733)
    - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
      chunk size in django/core/files/images.py.
    - CVE-2012-3444
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:39:29 -0400

Changed in python-django (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3-2ubuntu1.3

---------------
python-django (1.3-2ubuntu1.3) oneiric-security; urgency=low

  [ Scott Kitterman ]
  * SECURITY UPDATE: multiple issues (LP: #1031733)
  * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
    https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
  * New upstream release to address three security issues:
    - Cross-site scripting in authentication views
    - Denial-of-service in image validation
    - Denial-of-service via get_image_dimensions()
  * Added debian/patches/security_http_redirects,
    security_image_uploading_two, and security_image_uploading cherry picked
    from upstream git

  [ Steve Beattie ]
  * added debian/patches/10_fix_testsuite_failure.patch: adjust
    test_week_view_allow_future to ensure the first week of the year is
    selected

  [ Marc Deslauriers ]
  * debian/patches/security_http_redirects: remove unrelated changes, add
    python 2.4 regression fix.
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 08:40:28 -0400

Changed in python-django (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.