Bug#407519: Security fix for Django i18n
Hi Raphael, I just read at http://www.us.debian.org/Bugs/Developer.en.html#severities and took the one that made more sense to me, there the only severity that talks about security is critical so I took that. I'm not a bug vodoo, I was just trying to give a hand marking bugs. Anyway, it's always good to learn a bit more on every matter, so thanks for the lesson and accept my appologies for messing up your bug reports. Sincerelly, Marc. On 1/19/07, Raphael Hertzog [EMAIL PROTECTED] wrote: severity 407519 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. If I understand the bug correctly, the filename of the .po must be modified to include commands with backticks... in other word, the malicious intent is easily recognisable. I expect that in 99,9% of the time, the person starting compile-messages just copied/installed the .po files where required... and he certainly would notice that the filename look very strange compared to the other files ! So I really don't agree with severity critical... which brings to the point that you shouldn't change the severity without justifying your statement. has a security hole is a bit short without explaining a likely case of security breach. In particular, when upstream has not considered the risk serious enough to warrant a point release... Of course, I'd like to hear opinions from others. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407519: Security fix for Django i18n
severity 407519 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. If I understand the bug correctly, the filename of the .po must be modified to include commands with backticks... in other word, the malicious intent is easily recognisable. I expect that in 99,9% of the time, the person starting compile-messages just copied/installed the .po files where required... and he certainly would notice that the filename look very strange compared to the other files ! So I really don't agree with severity critical... which brings to the point that you shouldn't change the severity without justifying your statement. has a security hole is a bit short without explaining a likely case of security breach. In particular, when upstream has not considered the risk serious enough to warrant a point release... Of course, I'd like to hear opinions from others. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#407519: Security fix for Django i18n
severity critical tags +patch thanks The current Django versión in Debian has a security hole, so this bug should be critical, and the patch recommended by the submitter should be applied and brought to etch, I think. Cheers, Marc.
Bug#407519: Security fix for Django i18n system
Package: python-django Version: 0.95-2 A vulnerability in the script used by Django to compile message files for use by its internationalization system was discovered and fixed after the 0.95 release; the compile-messages script was not escaping the names of files it handled, which meant that arbitrary commands could be executed as a result of maliciously-named .po files. This was fixed in revision 3592 of Django trunk[1], and that changeset applies cleanly to stock Django 0.95. http://code.djangoproject.com/changeset/3592 -- James Bennett [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]