Created by James Westby on 2011-01-07 and last modified on 2014-09-10
Get this branch:
bzr branch lp:ubuntu/lucid-security/python-django
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

39. By Marc Deslauriers on 2014-09-10

* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/views/main.py, added tests to
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

38. By Seth Arnold on 2014-05-14

* SECURITY UPDATE: cache coherency problems in old Internet Explorer
  compatibility functions lead to loss of privacy and cache poisoning
  attacks. (LP: #1317663)
  - debian/patches/drop_fix_ie_for_vary_1_4.diff: remove fix_IE_for_vary()
    and fix_IE_for_attach() functions so Cache-Control and Vary headers are
    no longer modified. This may introduce some regressions for IE 6 and IE 7
    users. Patch from upstream.
  - CVE-2014-1418

37. By Marc Deslauriers on 2014-04-22

* SECURITY REGRESSION: security fix regression when a view is a partial
  (LP: #1311433)
  - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
    from the original function whenever a partial is provided as an
    argument to a url pattern in django/core/urlresolvers.py,
    added tests to tests/regressiontests/urlpatterns_reverse/urls.py,
  - CVE-2014-0472

36. By Marc Deslauriers on 2014-04-19

* SECURITY UPDATE: unexpected code execution using reverse()
  (LP: #1309779)
  - debian/patches/CVE-2014-0472.patch: added filtering to
    django/core/urlresolvers.py, added tests to
  - CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
  (LP: #1309782)
  - debian/patches/CVE-2014-0473.patch: don't cache responses with a
    cookie in django/middleware/cache.py, backport has_vary_header() to
  - CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
  - debian/patches/CVE-2014-0474.patch: convert arguments to correct
    type in django/db/models/fields/__init__.py, added tests to
  - CVE-2014-0474

35. By Marc Deslauriers on 2013-09-20

* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
  - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
    in django/contrib/auth/forms.py, django/contrib/auth/models.py,
  - CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
  - debian/patches/CVE-2013-4315.patch: properly check absolute path in
  - CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
  - debian/patches/security-is_safe_url.patch: properly reject URLs which
    specify a scheme other then HTTP or HTTPS.
  - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
  - No CVE number

34. By Marc Deslauriers on 2013-03-04

* SECURITY UPDATE: host header poisoning (LP: #1089337)
  - debian/patches/fix_get_host.patch: tighten host header validation in
    django/http/__init__.py, add tests to
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
  - debian/patches/fix_redirect_poisoning.patch: tighten validation in
    django/contrib/comments/views/utils.py, django/utils/http.py,
    django/views/i18n.py, add tests to
  - https://www.djangoproject.com/weblog/2012/dec/10/security/
  - No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
  - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
    to django/conf/global_settings.py,
    django/http/__init__.py, django/test/utils.py, add docs to
    docs/ref/settings.txt, add tests to
    tests/regressiontests/requests/tests.py, backport required function
    to django/utils/functional.py.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
  - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
    and external entities/DTDs in
    django/core/serializers/xml_serializer.py, add tests to
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-1664
  - CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
  - debian/patches/CVE-2013-0305.patch: add permission checks to history
    view in django/contrib/admin/options.py, add tests to
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
  - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
    django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt.
  - https://www.djangoproject.com/weblog/2013/feb/19/security/
  - CVE-2013-0306

33. By Jamie Strandboge on 2012-11-19

* Add additional tests for CVE-2012-4520
  - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
    host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
  - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
  - https://code.djangoproject.com/ticket/19172
  - LP: #1080204

32. By Jamie Strandboge on 2012-11-09

* SECURITY UPDATE: fix Host header poisoning
  - debian/patches/CVE-2012-4520.diff: adjust HttpRequest.get_host() to
    raise django.core.exceptions.SuspiciousOperation if Host headers contain
    potentially dangerous content.
  - CVE-2012-4520
  - LP: #1068486

31. By Marc Deslauriers on 2012-09-06

* SECURITY UPDATE: Cross-site scripting in authentication views
  (LP: #1031733)
  - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
    fix unsafe redirects indjango/http/__init__.py. Patch backported from
    Debian Squeeze and fixed for python 2.4 compatibility.
  - CVE-2012-3442
* SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
  - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
    immediately after the constructor in django/forms/fields.py.
  - CVE-2012-3443
* SECURITY UPDATE: Denial-of-service via get_image_dimensions()
  (LP: #1031733)
  - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
    chunk size in django/core/files/images.py.
  - CVE-2012-3444

30. By Jamie Strandboge on 2011-12-07

* SECURITY UPDATE: session manipulation when using django.contrib.sessions
  with memory-based sessions and caching
  - debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
    for session instead of root namespace
  - CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
  - debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
    default and use a timeout if available.
  - CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
  - debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
    default when constructing full URLs
  - CVE-2011-4139
* More information on these issues can be found at:

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.