lp:ubuntu/precise-updates/python-django
- Get this branch:
- bzr branch lp:ubuntu/precise-updates/python-django
Branch merges
Related bugs
Related blueprints
Branch information
Recent revisions
- 48. By Marc Deslauriers
-
* SECURITY UPDATE: incorrect url validation in core.urlresolve
rs.reverse
- debian/patches/ CVE-2014- 0480.patch: prevent reverse() from generating
URLs pointing to other hosts in django/core/urlresolve rs.py, added
tests to tests/regressiontests/ urlpatterns_ reverse/ {tests, urls}.py.
- CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
- debian/patches/ CVE-2014- 0481.patch: remove O(n) algorithm in
django/core/files/ storage. py, updated docs in
docs/howto/custom- file-storage. txt, docs/ref/ files/storage. txt,
added tests to tests/modeltests/files/ tests.py,
tests/regressiontests /file_storage/ tests.py, backport
get_random_ string( ) to django/ utils/crypto. py.
- CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
- debian/patches/ CVE-2014- 0482.patch: modified RemoteUserMiddl eware to
logout on REMOTE_USE change in django/contrib/ auth/middleware .py,
added test to django/contrib/ auth/tests/ remote_ user.py.
- CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
- debian/patches/ CVE-2014- 0483.patch: validate to_field in
django/contrib/ admin/{ options, exceptions} .py,
django/contrib/ admin/views/ main.py, added tests to
tests/regressiontests /admin_ views/tests. py.
- debian/patches/ CVE-2014- 0483-bug23329.patch: regression fix in
django/contrib/ admin/options. py, added tests to
tests/regressiontests /admin_ views/{ models, tests}. py.
- debian/patches/ CVE-2014- 0483-bug23431.patch: regression fix in
django/contrib/ admin/options. py, added tests to
tests/regressiontests /admin_ views/{ models, tests}. py.
- CVE-2014-0483 - 47. By Seth Arnold
-
* SECURITY UPDATE: cache coherency problems in old Internet Explorer
compatibility functions lead to loss of privacy and cache poisoning
attacks. (LP: #1317663)
- debian/patches/ drop_fix_ ie_for_ vary_1_ 4.diff: remove fix_IE_for_vary()
and fix_IE_for_attach() functions so Cache-Control and Vary headers are
no longer modified. This may introduce some regressions for IE 6 and IE 7
users. Patch from upstream.
- CVE-2014-1418
* SECURITY UPDATE: The validation for redirects did not correctly validate
some malformed URLs, which are accepted by some browsers. This allows a
user to be redirected to an unsafe URL unexpectedly.
- debian/patches/ is_safe_ url_1_4. diff: Forbid URLs starting with '///',
forbid URLs without a host but with a path. Patch from upstream. - 46. By Marc Deslauriers
-
* SECURITY REGRESSION: security fix regression when a view is a partial
(LP: #1311433)
- debian/patches/ CVE-2014- 0472-regression .patch: create the lookup_str
from the original function whenever a partial is provided as an
argument to a url pattern in django/core/urlresolve rs.py,
added tests to tests/regressiontests/ urlpatterns_ reverse/ urls.py,
tests/regressiontests /urlpatterns_ reverse/ views.py.
- CVE-2014-0472 - 45. By Marc Deslauriers
-
* SECURITY UPDATE: unexpected code execution using reverse()
(LP: #1309779)
- debian/patches/ CVE-2014- 0472.patch: added filtering to
django/core/urlresolve rs.py, added tests to
tests/regressiontests /urlpatterns_ reverse/ nonimported_ module. py,
tests/regressiontests /urlpatterns_ reverse/ tests.py,
tests/regressiontests /urlpatterns_ reverse/ urls.py,
tests/regressiontests /urlpatterns_ reverse/ views.py.
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/patches/ CVE-2014- 0473.patch: don't cache responses with a
cookie in django/middleware/ cache.py.
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/patches/ CVE-2014- 0474.patch: convert arguments to correct
type in django/db/models/ fields/ __init_ _.py, updated docs in
docs/howto/custom- model-fields. txt, docs/ref/ databases. txt,
docs/ref/models/ querysets. txt, docs/topics/ db/sql. txt, added tests to
tests/regressiontests /model_ fields/ tests.py.
- CVE-2014-0474 - 44. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
- debian/patches/ CVE-2013- 1443.patch: enforce a maximum password length
in django/contrib/ auth/forms. py, django/ contrib/ auth/models. py,
django/contrib/ auth/tests/ basic.py.
- CVE-2013-1443
* SECURITY UPDATE: directory traversal with ssi template tag
- debian/patches/ CVE-2013- 4315.patch: properly check absolute path in
django/template/ defaulttags. py,
tests/regressiontests /templates/ tests.py.
- CVE-2013-4315
* SECURITY UPDATE: possible XSS via is_safe_url
- debian/patches/ security- is_safe_ url.patch: properly reject URLs which
specify a scheme other then HTTP or HTTPS.
- https://www.djangoproj ect.com/ weblog/ 2013/aug/ 13/security- releases- issued/
- No CVE number - 43. By Andres Rodriguez
-
[ Julian Edwards ]
* debian/patches:
- prefetch_related. diff: Backport prefetch_related from 1.4 (LP: #1081388)
- bug15496-base64-multipart- fix.diff: Include fix for upstream bug #15496
which makes 'Content-Transfer- Encoding: base64: work for multipart
messages. (LP: #1081392) - 42. By Marc Deslauriers
-
* SECURITY UPDATE: host header poisoning (LP: #1089337)
- debian/patches/ fix_get_ host.patch: tighten host header validation in
django/http/__ init__. py, add tests to
tests/regressiontests /requests/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/
- No CVE number
* SECURITY UPDATE: redirect poisoning (LP: #1089337)
- debian/patches/ fix_redirect_ poisoning. patch: tighten validation in
django/contrib/ auth/views. py,
django/contrib/ comments/ views/comments. py,
django/contrib/ comments/ views/moderatio n.py,
django/contrib/ comments/ views/utils. py, django/ utils/http. py,
django/views/i18n. py, add tests to
tests/regressiontests /comment_ tests/tests/ comment_ view_tests. py,
tests/regressiontests /comment_ tests/tests/ moderation_ view_tests. py,
tests/regressiontests /views/ tests/i18n. py.
- https://www.djangoproj ect.com/ weblog/ 2012/dec/ 10/security/
- No CVE number
* SECURITY UPDATE: host header poisoning (LP: #1130445)
- debian/patches/ add_allowed_ hosts.patch: add new ALLOWED_HOSTS setting
to django/conf/global_ settings. py,
django/conf/project_ template/ settings. py,
django/http/__ init__. py, django/ test/utils. py, add docs to
docs/ref/settings. txt, add tests to
tests/regressiontests /requests/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- No CVE number
* SECURITY UPDATE: XML attacks (LP: #1130445)
- debian/patches/ CVE-2013- 166x.patch: forbid DTDs, entity expansion,
and external entities/DTDs in
django/core/serializer s/xml_serialize r.py, add tests to
tests/regressiontests /serializers_ regress/ tests.py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-1664
- CVE-2013-1665
* SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
- debian/patches/ CVE-2013- 0305.patch: add permission checks to history
view in django/contrib/ admin/options. py, add tests to
tests/regressiontests /admin_ views/tests. py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-0305
* SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
- debian/patches/ CVE-2013- 0306.patch: limit maximum number of forms in
django/forms/formsets. py, add docs to docs/topics/ forms/formsets. txt,
docs/topics/ forms/modelform s.txt, add tests to
tests/regressiontests /forms/ tests/formsets. py.
- https://www.djangoproj ect.com/ weblog/ 2013/feb/ 19/security/
- CVE-2013-0306 - 41. By Andres Rodriguez
-
[ Julian Edwards ]
* debian/patches:
- genericipaddressfield. diff: Backport GenericIPAddres sField
from 1.4 (LP: #1081391)
- prefetch_related. diff: Backport prefetch_related from 1.4 (LP: #1081388)
- bug15496-base64-multipart- fix.diff: Include fix for upstream bug #15496
which makes 'Content-Transfer- Encoding: base64: work for multipart
messages. (LP: #1081392) - 40. By Jamie Strandboge
-
* Add additional tests for CVE-2012-4520
- debian/patches/ CVE-2012- 4520-additional -tests. diff: add various poisoned
host header test material
* Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
- debian/patches/ lp1080204. diff: Isolate poisoned_http_host tests from 500
- https://code.djangopro ject.com/ ticket/ 19172
- LP: #1080204 - 39. By Jamie Strandboge
-
* SECURITY UPDATE: fix Host header poisoning
- debian/patches/ CVE-2012- 4520.diff: adjust HttpRequest. get_host( ) to
raise django.core.exceptions .SuspiciousOper ation if Host headers contain
potentially dangerous content. Patch thanks to Mackenzie Morgan.
- CVE-2012-4520
- LP: #1068486
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/quantal/python-django