Oops; forgot to mention this was OK maintainer Ryan Boggs and agreed with by various porters following a diff from Ryan to backport the changes.
On 2013/03/02 05:47, Stuart Henderson wrote: > CVSROOT: /cvs > Module name: ports > Changes by: [email protected] 2013/03/02 05:47:50 > > Modified files: > www/py-django : Makefile distinfo > www/py-django/pkg: PLIST > > Log message: > SECURITY update; py-Django 1.4.5 > https://www.djangoproject.com/weblog/2013/feb/19/security/ > > - Host header poisoning: an attacker could cause Django to generate > and display URLs that link to arbitrary domains. > > - Formset denial-of-service: an attacker can abuse Django's tracking > of the number of forms in a formset to cause a denial-of-service attack. > > - XML attacks: Django's serialization framework was vulnerable to > attacks via XML entity expansion and external references. > > - Data leakage via admin history log: Django's admin interface could > expose supposedly-hidden information via its history log.
