[Bug 884910] Re: Security issue (no CVE yet)
** Changed in: python-django-piston (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
0.2.2-2 is in Precise, which contains the fix. ** Also affects: python-django-piston (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: python-django-piston (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: python-django-piston (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: python-django-piston (Ubuntu Precise) Importance: High Status: Fix Committed ** Changed in: python-django-piston (Ubuntu Precise) Status: Fix Committed = Fix Released ** Changed in: python-django-piston (Ubuntu Maverick) Status: New = Confirmed ** Changed in: python-django-piston (Ubuntu Maverick) Importance: Undecided = Medium ** Changed in: python-django-piston (Ubuntu Natty) Status: New = Confirmed ** Changed in: python-django-piston (Ubuntu Natty) Importance: Undecided = Medium ** Changed in: python-django-piston (Ubuntu Oneiric) Status: New = Confirmed ** Changed in: python-django-piston (Ubuntu Oneiric) Importance: Undecided = Medium ** Changed in: python-django-piston (Ubuntu Precise) Importance: High = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
Thanks for your patches! A few notes: CVE-2011-4103 has been assigned to this issue, so I added it to the changelogs. The maverick debdiff did not apply because the UDD tree you pulled from did not include the changes made to the maverick-updates package. I have applied your changes and created a new package for maverick-security. The oneiric and natty patches number the patches you added to debian/patches, but they aren't applied in numerical order in the series file. I have adjusted this. 03-fix-pickle-load.diff doesn't list an upstream commit in the DEP-3, and it looks to be an exact patch of what came from Debian. I have added 'patch thanks to Debian' to the changelog. I fixed some trailing whitespace and non-standard indentation in the changelogs. With the above changes, I have uploaded updated source packages to the security PPA and will push out once they are built. Thanks again. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4103 ** Changed in: python-django-piston (Ubuntu Maverick) Status: Confirmed = Fix Committed ** Changed in: python-django-piston (Ubuntu Natty) Status: Confirmed = Fix Committed ** Changed in: python-django-piston (Ubuntu Oneiric) Status: Confirmed = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu1.11.10.1 --- python-django-piston (0.2.2-1ubuntu1.11.10.1) oneiric-security; urgency=low * SECURITY UPDATE: remote code execution vulnerability. LP: #884910 - 02-fix-yaml-load.diff: use yaml.safe_load - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch thanks to Debian - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ - CVE-2011-4103 -- Julian Taylor jtaylor.deb...@googlemail.com Wed, 02 Nov 2011 19:18:12 +0100 ** Changed in: python-django-piston (Ubuntu Oneiric) Status: Fix Committed = Fix Released ** Changed in: python-django-piston (Ubuntu Natty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu1.11.04.1 --- python-django-piston (0.2.2-1ubuntu1.11.04.1) natty-security; urgency=low * SECURITY UPDATE: remote code execution vulnerability. LP: #884910 - 02-fix-yaml-load.diff: use yaml.safe_load - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch thanks to Debian - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ - CVE-2011-4103 -- Julian Taylor jtaylor.deb...@googlemail.com Wed, 02 Nov 2011 19:18:12 +0100 ** Changed in: python-django-piston (Ubuntu Maverick) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
This bug was fixed in the package python-django-piston - 0.2.2-1ubuntu0.2 --- python-django-piston (0.2.2-1ubuntu0.2) maverick-security; urgency=low * SECURITY UPDATE: remote code execution vulnerability. LP: #884910 - 02-fix-yaml-load.diff: use yaml.safe_load - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3, patch thanks to Debian - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/ - Ubuntu patch thanks to Julian Taylor jtaylor.deb...@googlemail.com - CVE-2011-4103 -- Jamie Strandboge ja...@ubuntu.com Wed, 09 Nov 2011 10:04:28 -0600 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Branch linked: lp:ubuntu/maverick-security/python-django-piston ** Branch linked: lp:ubuntu/oneiric-security/python-django-piston ** Branch linked: lp:ubuntu/natty-security/python-django-piston -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Changed in: python-django-piston (Ubuntu) Importance: Undecided = High ** Changed in: python-django-piston (Ubuntu) Assignee: (unassigned) = Julian Taylor (jtaylor) ** Changed in: python-django-piston (Ubuntu) Status: New = In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Branch linked: lp:~jtaylor/ubuntu/natty/python-django- piston/fix-884910 ** Branch linked: lp:~jtaylor/ubuntu/oneiric/python-django- piston/fix-884910 ** Branch linked: lp:~jtaylor/ubuntu/maverick/python-django- piston/fix-884910 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Branch unlinked: lp:~jtaylor/ubuntu/maverick/python-django- piston/fix-884910 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Branch linked: lp:~jtaylor/ubuntu/maverick/python-django- piston/fix-884910 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Changed in: python-django-piston (Ubuntu) Assignee: Julian Taylor (jtaylor) = (unassigned) ** Changed in: python-django-piston (Ubuntu) Status: In Progress = Triaged ** Changed in: python-django-piston (Ubuntu) Status: Triaged = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
precise can be synced when it is uploaded to debian, we don't need the diff anymore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
Subscribing ubuntu-security-sponsors -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
another security issue in the package: http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=646517 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 884910] Re: Security issue (no CVE yet)
** Changed in: python-django-piston (Debian) Importance: Undecided = Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/884910 Title: Security issue (no CVE yet) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-piston/+bug/884910/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs