lp:debian/squeeze/python-django
- Get this branch:
- bzr branch lp:debian/squeeze/python-django
Branch information
- Owner:
- Ubuntu branches
- Status:
- Development
Recent revisions
- 25. By Salvatore Bonaccorso
-
* Non-maintainer upload by the Security Team.
* Add CVE-2014-1418.patch patch.
CVE-2014-1418: Caches may be allowed to store and serve private data.
* Add CVE-2014-3730.patch patch.
CVE-2014-3730: Malformed URLs from user input incorrectly validated. - 24. By Luke Faraone
-
* Stable security upload:
https://www.djangoproj ect.com/ weblog/ 2013/sep/ 15/security/
- Denial-of-service via large passwords. CVE-2013-1443
Closes: #723043 - 23. By Raphaël Hertzog
-
* Stable security upload:
https://www.djangoproj ect.com/ weblog/ 2012/jul/ 30/security- releases- issued/
Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Apply/backport the 3 security patches:
- debian/patches/ 16_fix_ cross_site_ scripting_ in_authenticati on.diff
- debian/patches/ 17_fix_ dos_in_ image_validatio n.diff
- debian/patches/ 18_fix_ dos_via_ get_image_ dimensions. diff
Closes: #683364 - 22. By Raphaël Hertzog
-
* Stable security upload:
https://www.djangoproj ect.com/ weblog/ 2011/sep/ 09/security- releases- issued/
* Apply/backport the 3 security patches:
- debian/patches/ 13_fix_ safety_ issue_with_ session_ data.diff
- debian/patches/ 14_fix_ dos_with_ urlfield. diff
- debian/patches/ 15_fix_ spoofing_ issue_with_ x_forwarded_ host.diff
Closes: #641405 - 21. By lamby
-
* Resolve two vulnerabilities:
- Flaw in CSRF handling
Django includes a cross-site request forgery protection mechanism, which
makes use of a token inserted into outgoing forms. Middleware then checks
for the token's presence on form submission, and validates it.Previously, however, Django's CSRF protection made an exception for AJAX
requests, on the following basis:1. Many AJAX toolkits add an 'X-Requested-With' header when using
XMLHttpRequest. 2. Browsers have strict same-origin policies regarding XMLHttpRequest.
3. In the context of a browser, the only way that a custom header of this
nature can be added is with XMLHttpRequest.Therefore, for ease of use, Django did not apply CSRF checks to requests
that appeared to be AJAX on the basis of the X-Requested-With header. The
Ruby on Rails web framework had a similar exemption.Recently, engineers at Google made members of the Ruby on Rails
development team aware of a combination of browser plugins and redirects
which can allow an attacker to provide custom HTTP headers on a request
to any website. This can allow a forged request to appear to be an AJAX
request, thereby defeating CSRF protection which trusts the same-origin
nature of AJAX requests.Michael Koziarski of the Rails team brought this to the Django
developers attention, and we were able to produce a proof-of-concept
demonstrating the same vulnerability in Django's CSRF handling.To remedy this, Django will now apply full CSRF validation to all
requests, regardless of apparent AJAX origin. This is technically
backwards-incompatible, but the security risks have been judged to
outweigh the compatibility concerns in this case.Extended notes on how to accomodate this change will be added to the
Django homepage in following days.- Potential XSS in file field rendering
Django's form system includes form fields and widgets for performing file
uploads; in many cases, the name of the file currently stored in the
field is displayed. In the process of rendering, the filename is
displayed without being escaped.In many cases this does not result in a cross-site-
scripting
vulnerability, as file-storage backends can and are encouraged to (and
the default backends provided with Django do) sanitize the supplied
filename according to their requirements. However, the risk of a
vulnerability appearing in a backend which does not sanitize, or which
performs insufficient sanitization, is such that Django will now
automatically escape filenames in form rendering.Thanks to James Bennett <email address hidden>.
- 20. By Raphaël Hertzog
-
* Squeeze upload with security fixes only:
http://www.djangoproje ct.com/ weblog/ 2010/dec/ 22/security/
* Add patches 08_fix_info_leakage. diff and 09_fix_ dos_password_ reset.diff
taken from upstream SVN repository. They did not apply cleanly, I had to
drop a test. - 19. By Evgeni Golov
-
* Team upload.
* Disable model tests that require an internet connection.
Closes: #601070
* Include python.mk conditionally as explained in its header.
Helps backports to Lenny which has no python.mk.
Closes: #601608 - 18. By Raphaël Hertzog
-
[ Krzysztof Klimonda ]
* New upstream release. Closes: #596893 LP: #636482
* Fixes both a XSS vulnerability introduced in 1.2 series and
the regressions caused by 1.2.2 release. Closes: #596205
* debian/control:
- depend on language packs for en_US.utf8 locales required for unit tests.
* debian/rules:
- re-enable build time tests.
- set LC_ALL to en_US.utf8 for test suite.
* debian/patches/ series:
- two new patches: 05_fix_regression_ tests.diff and
06_fix_regression_ tests.diff backported from 1.2.x branch to fix
test suite failures.[ Raphaël Hertzog ]
* Update Standards-Version to 3.9.1.
* Drop "--with quilt" and quilt build-dependency since the package is
already using source format "3.0 (quilt)".
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)