-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-10400 2010-06-25 17:05:54 --------------------------------------------------------------------------------
Name : python-paste Product : Fedora 11 Version : 1.7.4 Release : 1.fc11 URL : http://pythonpaste.org Summary : Tools for using a Web Server Gateway Interface stack Description : These provide several pieces of "middleware" (or filters) that can be nested to build web applications. Each piece of middleware uses the WSGI (PEP 333) interface, and should be compatible with other middleware based on those interfaces. -------------------------------------------------------------------------------- Update Information: ***1.7.4*** * The only real change is to paste.httpexceptions, which was using insecure quoting of some parameters and allowed an XSS hole, most specifically with its 404 messages. The most notably WSGI application using this is paste.urlparse.StaticURLParser and PkgResourcesParser. By directing someone to an appropriately formed URL an attacker can execute arbitrary Javascript on the victim's client. paste.urlmap.URLMap is also affected, but only if you have no application attached to /. Other applications using paste.httpexceptions may be effected (especially HTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected. ***1.7.3*** * Fix paste.httpserver on Python 2.6. * Fix paste.auth.cookie, which would insert newlines for long cookies. * paste.util.mimeparse parses a single * in Accept headers (sent by IE 6). * Fix some problems with the wdg_validate middleware. * Improvements to paste.auth.auth_tkt: add httponly support, don’t always aggressively set cookies without the wildcard_cookie option. Also on logout, make cookies expire. * In paste.proxy.Proxy handle Content-Length of -1. * In paste.httpexceptions avoid some unicode errors. * In paste.httpserver handle .read() from 100 Continue properly (because of a typo it was doing a readline). * Update paste.util.mimeparse from upstream. http://pythonpaste.org/news.html -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 24 2010 Luke Macken <[email protected]> - 1.7.4-1 - 1.7.4 security release * Sun Jul 26 2009 Fedora Release Engineering <[email protected]> - 1.7.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Mon Jun 22 2009 Kyle VanderBeek <[email protected]> - 1.7.2-3 - Package formerly ghost'ed .pyo files - Update to current python package methods -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update python-paste' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
