diff -u python-django-1.0.2/debian/changelog python-django-1.0.2/debian/changelog --- python-django-1.0.2/debian/changelog +++ python-django-1.0.2/debian/changelog @@ -1,3 +1,15 @@ +python-django (1.0.2-1ubuntu0.2) jaunty-security; urgency=low + + * SECURITY UPDATE: Certain email addresses/URLs can trigger + a catastrophic backtracking situation, causing 100% CPU + and server overload. + http://www.djangoproject.com/weblog/2009/oct/09/security/ + - Applied upstream changeset 11605 + - LP: #447617 + - CVE-2009-3695 + + -- Krzysztof Klimonda Tue, 13 Oct 2009 21:59:00 +0200 + python-django (1.0.2-1ubuntu0.1) jaunty-security; urgency=low * SECURITY UPDATE: crafted URL can cause the development server to serve only in patch2: unchanged: --- python-django-1.0.2.orig/debian/patches/06_security_corrected-regular-expressions.diff +++ python-django-1.0.2/debian/patches/06_security_corrected-regular-expressions.diff @@ -0,0 +1,21 @@ +diff -Nur -x '*.orig' -x '*~' python-django-1.0.2/django/forms/fields.py python-django-1.0.2.new/django/forms/fields.py +--- python-django-1.0.2/django/forms/fields.py 2008-11-19 06:44:20.000000000 +0100 ++++ python-django-1.0.2.new/django/forms/fields.py 2009-10-13 21:47:48.203482064 +0200 +@@ -421,7 +421,7 @@ + email_re = re.compile( + r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*" # dot-atom + r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*"' # quoted-string +- r')@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}$', re.IGNORECASE) # domain ++ r')@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$', re.IGNORECASE) # domain + + class EmailField(RegexField): + default_error_messages = { +@@ -527,7 +527,7 @@ + + url_re = re.compile( + r'^https?://' # http:// or https:// +- r'(?:(?:[A-Z0-9-]+\.)+[A-Z]{2,6}|' #domain... ++ r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' #domain... + r'localhost|' #localhost... + r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip + r'(?::\d+)?' # optional port