diff -u python-django-0.96/debian/changelog python-django-0.96/debian/changelog --- python-django-0.96/debian/changelog +++ python-django-0.96/debian/changelog @@ -1,3 +1,15 @@ +python-django (0.96-1ubuntu0.2) gutsy-security; urgency=low + + * SECURITY UPDATE: security vulnerability in django admin + * debian/patches/05_CVE-2008-2302_fix.diff: added upstream fix + escaping request path in login page of admin site.(LP: #23463) + * References: + CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302 + upstream announce: http://www.djangoproject.com/weblog/2008/may/14/security/ + upstream fix: http://code.djangoproject.com/changeset/7527 + + -- Andrea Gasparini Thu, 29 May 2008 17:00:38 +0200 + python-django (0.96-1ubuntu0.1) gutsy-security; urgency=low * SECURITY UPDATE: Denial of service in i18n middleware. only in patch2: unchanged: --- python-django-0.96.orig/debian/patches/05_CVE-2008-2302_fix.diff +++ python-django-0.96/debian/patches/05_CVE-2008-2302_fix.diff @@ -0,0 +1,20 @@ +diff -Nur python-django-0.96.orig/django/contrib/admin/views/decorators.py python-django-0.96/django/contrib/admin/views/decorators.py +--- python-django-0.96.orig/django/contrib/admin/views/decorators.py 2008-05-29 16:12:59.000000000 +0200 ++++ python-django-0.96/django/contrib/admin/views/decorators.py 2008-05-29 16:13:29.000000000 +0200 +@@ -3,6 +3,7 @@ + from django.contrib.auth.models import User + from django.contrib.auth import authenticate, login + from django.shortcuts import render_to_response ++from django.utils.html import escape + from django.utils.translation import gettext_lazy + import base64, datetime, md5 + import cPickle as pickle +@@ -22,7 +23,7 @@ + post_data = _encode_post_data({}) + return render_to_response('admin/login.html', { + 'title': _('Log in'), +- 'app_path': request.path, ++ 'app_path': escape(request.path), + 'post_data': post_data, + 'error_message': error_message + }, context_instance=template.RequestContext(request))