Format: 1.8 Date: Mon, 04 Mar 2013 14:08:31 -0500 Source: python-django Binary: python-django python-django-doc Architecture: all i386_translations Version: 1.1.1-2ubuntu1.8 Distribution: lucid Urgency: low Maintainer: Ubuntu/amd64 Build Daemon Changed-By: Marc Deslauriers Description: python-django - High-level Python web development framework python-django-doc - High-level Python web development framework (documentation) Launchpad-Bugs-Fixed: 1089337 1089337 1130445 1130445 1130445 1130445 Changes: python-django (1.1.1-2ubuntu1.8) lucid-security; urgency=low . * SECURITY UPDATE: host header poisoning (LP: #1089337) - debian/patches/fix_get_host.patch: tighten host header validation in django/http/__init__.py, add tests to tests/regressiontests/requests/tests.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: redirect poisoning (LP: #1089337) - debian/patches/fix_redirect_poisoning.patch: tighten validation in django/contrib/auth/views.py, django/contrib/comments/views/comments.py, django/contrib/comments/views/moderation.py, django/contrib/comments/views/utils.py, django/utils/http.py, django/views/i18n.py, add tests to tests/regressiontests/comment_tests/tests/comment_view_tests.py, tests/regressiontests/comment_tests/tests/moderation_view_tests.py, tests/regressiontests/views/tests/i18n.py. - https://www.djangoproject.com/weblog/2012/dec/10/security/ - No CVE number * SECURITY UPDATE: host header poisoning (LP: #1130445) - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting to django/conf/global_settings.py, django/conf/project_template/settings.py, django/http/__init__.py, django/test/utils.py, add docs to docs/ref/settings.txt, add tests to tests/regressiontests/requests/tests.py, backport required function to django/utils/functional.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - No CVE number * SECURITY UPDATE: XML attacks (LP: #1130445) - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion, and external entities/DTDs in django/core/serializers/xml_serializer.py, add tests to tests/regressiontests/serializers_regress/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-1664 - CVE-2013-1665 * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445) - debian/patches/CVE-2013-0305.patch: add permission checks to history view in django/contrib/admin/options.py, add tests to tests/regressiontests/admin_views/tests.py. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0305 * SECURITY UPDATE: Formset denial-of-service (LP: #1130445) - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt. - https://www.djangoproject.com/weblog/2013/feb/19/security/ - CVE-2013-0306 Checksums-Sha1: 19fdd1db324156ad4cce05075e3f30b87f5472c7 3881262 python-django_1.1.1-2ubuntu1.8_all.deb 7aaedbff46e02ad68fafde647a0f7a8549b495bb 1535336 python-django-doc_1.1.1-2ubuntu1.8_all.deb df31cfde681ba72edd38ae5ff2205cc6c4c3d107 3621373 python-django_1.1.1-2ubuntu1.8_i386_translations.tar.gz Checksums-Sha256: 2171d30c379ec9a6cac032f46b7f0af102a5a4b32e5c038114b22745cb5c7cf9 3881262 python-django_1.1.1-2ubuntu1.8_all.deb 0c784aa1005e7ceb797ae7f8ae80e3179ac3b08472ccb1ccd865d7ae98c80f54 1535336 python-django-doc_1.1.1-2ubuntu1.8_all.deb bfa2de10da6751d119e414e18dc3cde7aa3460b122361ca1434477935e553466 3621373 python-django_1.1.1-2ubuntu1.8_i386_translations.tar.gz Files: 7cfbc6ab90524d617bfbd8fc3f22cc53 3881262 python optional python-django_1.1.1-2ubuntu1.8_all.deb 255031b7a2ff565119429ea5ae7b1b64 1535336 doc optional python-django-doc_1.1.1-2ubuntu1.8_all.deb 3bc202b5dfc0f5c307c42292c4303cdd 3621373 raw-translations - python-django_1.1.1-2ubuntu1.8_i386_translations.tar.gz Original-Maintainer: Chris Lamb