On Fri, Aug 23, 2013 at 05:53:12PM +0000, Salvatore Bonaccorso wrote: > Package : python-django > Vulnerability : cross-site scripting vulnerability > Problem type : remote > Debian-specific: no > > Nick Brunn reported a possible cross-site scripting vulnerability in > python-django, a high-level Python web development framework. > > The is_safe_url utility function used to validate that a used URL is on > the current host to avoid potentially dangerous redirects from > maliciously-constructed querystrings, worked as intended for HTTP and > HTTPS URLs, but permitted redirects to other schemes, such as > javascript:. > > The is_safe_url function has been modified to properly recognize and > reject URLs which specify a scheme other than HTTP or HTTPS, to prevent > cross-site scripting attacks through redirecting to other schemes. > > For the oldstable distribution (squeeze), this problem has been fixed in > version 1.2.3-3+squeeze6. > > For the stable distribution (wheezy), this problem has been fixed in > version 1.4.5-1+deb7u1.
Hi, Are there any plans to update squeeze-backports with this release, please? (I can do so otherwise). Cheers, Dominic. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
