python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available. Also update to use a url opener
that does not support local file access
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Date: Mon, 28 Nov 2011 15:58:45 -0600
Changed-By: Jamie Strandboge <[email protected]>
Maintainer: Ubuntu Developers <[email protected]>
https://launchpad.net/ubuntu/oneiric/+source/python-django/1.3-2ubuntu1.1
Format: 1.8
Date: Mon, 28 Nov 2011 15:58:45 -0600
Source: python-django
Binary: python-django python-django-doc
Architecture: source
Version: 1.3-2ubuntu1.1
Distribution: oneiric-security
Urgency: low
Maintainer: Ubuntu Developers <[email protected]>
Changed-By: Jamie Strandboge <[email protected]>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Changes:
python-django (1.3-2ubuntu1.1) oneiric-security; urgency=low
.
* SECURITY UPDATE: session manipulation when using django.contrib.sessions
with memory-based sessions and caching
- debian/patches/CVE-2011-4136.patch: use namespace of cache to store keys
for session instead of root namespace
- CVE-2011-4136
* SECURITY UPDATE: potential denial of service and information disclosure in
URLField
- debian/patches/CVE-2011-4137+4138.patch: set verify_exists to False by
default and use a timeout if available. Also update to use a url opener
that does not support local file access
- CVE-2011-4137, CVE-2011-4138
* SECURITY UPDATE: potential cache-poisoning via crafted Host header
- debian/patches/CVE-2011-4139.patch: ignore X-Forwarded-Host header by
default when constructing full URLs
- CVE-2011-4139
* More information on these issues can be found at:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Checksums-Sha1:
6fc74575354d9a4af68336a01133b290e4e98ee5 2230 python-django_1.3-2ubuntu1.1.dsc
a9f58fe013ebc9a0c627d717189fa95a3ccf4942 24646
python-django_1.3-2ubuntu1.1.debian.tar.gz
Checksums-Sha256:
34338f88f5e0b8dd6f689e9f8330d34805ff001c9a00075af6e7f6d57380446e 2230
python-django_1.3-2ubuntu1.1.dsc
8f83d0d1cf78f8efc8a6b04e62c56ae5932bd02fd515f0805305aeb3cf20c40d 24646
python-django_1.3-2ubuntu1.1.debian.tar.gz
Files:
e347b428d74d25513b23af0b429c7908 2230 python optional
python-django_1.3-2ubuntu1.1.dsc
0518ec8951c24ac4322f732c962c14aa 24646 python optional
python-django_1.3-2ubuntu1.1.debian.tar.gz
Original-Maintainer: Chris Lamb <[email protected]>
--
Oneiric-changes mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/oneiric-changes
