Ubuntu
python-django package

Please backport Django 1.3.5/1.4.3 security updates

Bug #1089337 reported by Marti
268
This bug affects 4 people
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Quantal
Fix Released
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned

Bug Description

Django released new versions 1.3.5 and 1.4.3 recently with some security updates:
https://www.djangoproject.com/weblog/2012/dec/10/security/

Please backport these fixes to Ubuntu releases.

Marti (intgr)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in python-django (Ubuntu Raring):
status: Confirmed → Fix Released
Changed in python-django (Ubuntu Lucid):
status: New → Confirmed
Changed in python-django (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-django (Ubuntu Precise):
status: New → Confirmed
Changed in python-django (Ubuntu Quantal):
status: New → Confirmed
Changed in python-django (Ubuntu Lucid):
importance: Undecided → Medium
Changed in python-django (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in python-django (Ubuntu Quantal):
importance: Undecided → Medium
Changed in python-django (Ubuntu Raring):
importance: Undecided → Medium
Changed in python-django (Ubuntu Precise):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3-2ubuntu1.6

---------------
python-django (1.3-2ubuntu1.6) oneiric-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/settings.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
      docs/topics/forms/modelforms.txt, add tests to
      tests/regressiontests/forms/tests/formsets.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306
 -- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:33:54 -0500

Changed in python-django (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.8

---------------
python-django (1.1.1-2ubuntu1.8) lucid-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/settings.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, add tests to
      tests/regressiontests/requests/tests.py, backport required function
      to django/utils/functional.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306
 -- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 14:08:31 -0500

Changed in python-django (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.3

---------------
python-django (1.4.1-2ubuntu0.3) quantal-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add info to docs/topics/security.txt, add
      tests to tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/project_name/settings.py,
      django/contrib/auth/tests/views.py,
      django/contrib/contenttypes/tests.py, django/contrib/sites/tests.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, docs/topics/security.txt, add tests to
      tests/regressiontests/csrf_tests/tests.py,
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
      docs/topics/forms/modelforms.txt, add tests to
      tests/regressiontests/forms/tests/formsets.py,
      tests/regressiontests/generic_inline_admin/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306
 -- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 08:28:36 -0500

Changed in python-django (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.6

---------------
python-django (1.3.1-4ubuntu1.6) precise-security; urgency=low

  * SECURITY UPDATE: host header poisoning (LP: #1089337)
    - debian/patches/fix_get_host.patch: tighten host header validation in
      django/http/__init__.py, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: redirect poisoning (LP: #1089337)
    - debian/patches/fix_redirect_poisoning.patch: tighten validation in
      django/contrib/auth/views.py,
      django/contrib/comments/views/comments.py,
      django/contrib/comments/views/moderation.py,
      django/contrib/comments/views/utils.py, django/utils/http.py,
      django/views/i18n.py, add tests to
      tests/regressiontests/comment_tests/tests/comment_view_tests.py,
      tests/regressiontests/comment_tests/tests/moderation_view_tests.py,
      tests/regressiontests/views/tests/i18n.py.
    - https://www.djangoproject.com/weblog/2012/dec/10/security/
    - No CVE number
  * SECURITY UPDATE: host header poisoning (LP: #1130445)
    - debian/patches/add_allowed_hosts.patch: add new ALLOWED_HOSTS setting
      to django/conf/global_settings.py,
      django/conf/project_template/settings.py,
      django/http/__init__.py, django/test/utils.py, add docs to
      docs/ref/settings.txt, add tests to
      tests/regressiontests/requests/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - No CVE number
  * SECURITY UPDATE: XML attacks (LP: #1130445)
    - debian/patches/CVE-2013-166x.patch: forbid DTDs, entity expansion,
      and external entities/DTDs in
      django/core/serializers/xml_serializer.py, add tests to
      tests/regressiontests/serializers_regress/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-1664
    - CVE-2013-1665
  * SECURITY UPDATE: Data leakage via admin history log (LP: #1130445)
    - debian/patches/CVE-2013-0305.patch: add permission checks to history
      view in django/contrib/admin/options.py, add tests to
      tests/regressiontests/admin_views/tests.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0305
  * SECURITY UPDATE: Formset denial-of-service (LP: #1130445)
    - debian/patches/CVE-2013-0306.patch: limit maximum number of forms in
      django/forms/formsets.py, add docs to docs/topics/forms/formsets.txt,
      docs/topics/forms/modelforms.txt, add tests to
      tests/regressiontests/forms/tests/formsets.py.
    - https://www.djangoproject.com/weblog/2013/feb/19/security/
    - CVE-2013-0306
 -- Marc Deslauriers <email address hidden> Mon, 04 Mar 2013 10:13:59 -0500

Changed in python-django (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.