Django security update 1.3.2

Bug #1031733 reported by Marti on 2012-08-01
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Natty
Undecided
Marc Deslauriers
Oneiric
Undecided
Marc Deslauriers
Precise
High
Marc Deslauriers
Quantal
Undecided
Unassigned

Bug Description

The Django project released a security update 1.3.2 on July 30, please update this in Ubuntu precise.

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/

In particular, Django security releases should be coordinated with the distributors: "If you are or represent a third-party distributor of Django and did not receive a notification email regarding this announcement from the Django release manager, please contact <email address hidden>."

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-django 1.3.1-4ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-26.41-virtual 3.2.19
Uname: Linux 3.2.0-26-virtual x86_64
ApportVersion: 2.0.1-0ubuntu11
Architecture: amd64
Date: Wed Aug 1 14:35:05 2012
InstallationMedia: Ubuntu-Server 11.04 "Natty Narwhal" - Release amd64 (20110426)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/usr/bin/zsh
SourcePackage: python-django
UpgradeStatus: Upgraded to precise on 2012-05-03 (89 days ago)

Revision history for this message
Marti (intgr) wrote :
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status: New → Confirmed
Revision history for this message
James Bennett (ubernostrum) wrote :

Quick heads-up: a Python 2.4 compatibility issue has been found in the 1.3.2 package. A patch has landed upstream:

https://github.com/django/django/commit/d0d5dc6cd76f01c8a71b677357ad2f702cb54416

And we (Django) will be issuing 1.3.3 as a bugfix release for this within the next 24 hours.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in 1.4.1, which is in quantal

Changed in python-django (Ubuntu Quantal):
status: Confirmed → Fix Released
Changed in python-django (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → precise-updates
Revision history for this message
Scott Kitterman (kitterman) wrote :

Since there are non-security changes in 1.3.2/3, we'll cherrypick just the commits for precise and oneiric. Debian has 1.2 patches we can use for natty. I did not check applicability to hardy or lucid.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fix for precise.

Changed in python-django (Ubuntu Precise):
status: In Progress → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

I did build the package. Given the upstream test suite that runs during build, I think that should be sufficient given that the change is the exact upstream change.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, Scott, I'll review and push.

Changed in python-django (Ubuntu Precise):
assignee: Scott Kitterman (kitterman) → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu Natty):
status: New → Confirmed
Changed in python-django (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-django (Ubuntu Precise):
assignee: Steve Beattie (sbeattie) → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Lucid):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.2

---------------
python-django (1.3.1-4ubuntu1.2) precise-security; urgency=high

  [ Scott Kitterman ]
  * SECURITY UPDATE: multiple issues (LP: #1031733)
  * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
    https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
  * New upstream release to address three security issues:
    - Cross-site scripting in authentication views
    - Denial-of-service in image validation
    - Denial-of-service via get_image_dimensions()
  * Added debian/patches/security_http_redirects,
    security_image_uploading_two, and security_image_uploading cherry picked
    from upstream git

  [ Marc Deslauriers ]
  * debian/patches/security_http_redirects: remove unrelated changes, add
    python 2.4 regression fix.
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 08:36:28 -0400

Changed in python-django (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.5

---------------
python-django (1.1.1-2ubuntu1.5) lucid-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting in authentication views
    (LP: #1031733)
    - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
      fix unsafe redirects indjango/http/__init__.py. Patch backported from
      Debian Squeeze and fixed for python 2.4 compatibility.
    - CVE-2012-3442
  * SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
    - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
      immediately after the constructor in django/forms/fields.py.
    - CVE-2012-3443
  * SECURITY UPDATE: Denial-of-service via get_image_dimensions()
    (LP: #1031733)
    - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
      chunk size in django/core/files/images.py.
    - CVE-2012-3444
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:56:37 -0400

Changed in python-django (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.2.5-1ubuntu1.2

---------------
python-django (1.2.5-1ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting in authentication views
    (LP: #1031733)
    - debian/patches/16_fix_cross_site_scripting_in_authentication.diff:
      fix unsafe redirects indjango/http/__init__.py, add test case to
      tests/regressiontests/httpwrappers/tests.py. Patch backport taken
      from Debian Squeeze and fixed for python 2.4 compatibility.
    - CVE-2012-3442
  * SECURITY UPDATE: Denial-of-service in image validation (LP: #1031733)
    - debian/patches/17_fix_dos_in_image_validation.diff: call verify()
      immediately after the constructor in django/forms/fields.py.
    - CVE-2012-3443
  * SECURITY UPDATE: Denial-of-service via get_image_dimensions()
    (LP: #1031733)
    - debian/patches/18_fix_dos_via_get_image_dimensions.diff: don't limit
      chunk size in django/core/files/images.py.
    - CVE-2012-3444
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 09:39:29 -0400

Changed in python-django (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3-2ubuntu1.3

---------------
python-django (1.3-2ubuntu1.3) oneiric-security; urgency=low

  [ Scott Kitterman ]
  * SECURITY UPDATE: multiple issues (LP: #1031733)
  * References CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
    https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
  * New upstream release to address three security issues:
    - Cross-site scripting in authentication views
    - Denial-of-service in image validation
    - Denial-of-service via get_image_dimensions()
  * Added debian/patches/security_http_redirects,
    security_image_uploading_two, and security_image_uploading cherry picked
    from upstream git

  [ Steve Beattie ]
  * added debian/patches/10_fix_testsuite_failure.patch: adjust
    test_week_view_allow_future to ensure the first week of the year is
    selected

  [ Marc Deslauriers ]
  * debian/patches/security_http_redirects: remove unrelated changes, add
    python 2.4 regression fix.
 -- Marc Deslauriers <email address hidden> Thu, 06 Sep 2012 08:40:28 -0400

Changed in python-django (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers