SECURITY - multiple vulnerabilities, upgrade needed to 1.2.5 or 1.1.4
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | python-django (Ubuntu) |
Medium
|
Jamie Strandboge | ||
| | Hardy |
Medium
|
Unassigned | ||
| | Karmic |
Medium
|
Jamie Strandboge | ||
| | Lucid |
Medium
|
Jamie Strandboge | ||
| | Maverick |
Medium
|
Jamie Strandboge | ||
| | Natty |
Medium
|
Jamie Strandboge | ||
Bug Description
Binary package hint: python-django
See this link: http://
No CVE seems to have been assigned yet.
" Today the Django team is issuing multiple releases -- Django 1.2.5 and Django 1.1.4 -- to remedy three security issues reported to us. All users of affected versions of Django are urged to upgrade immediately. "
* Flaw in CSRF handling
* Potential XSS in file field rendering
* Directory-traversal vulnerability on Windows
| visibility: | private → public |
| James Bennett (ubernostrum) wrote : Re: [Bug 719031] [NEW] SECURITY - multiple vulnerabilities, upgrade needed to 1.2.5 or 1.1.4 | #1 |
| Changed in python-django (Ubuntu Hardy): | |
| status: | New → Confirmed |
| Changed in python-django (Ubuntu Karmic): | |
| status: | New → Confirmed |
| Changed in python-django (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in python-django (Ubuntu Maverick): | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in python-django (Ubuntu Natty): | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in python-django (Ubuntu Karmic): | |
| importance: | Undecided → Medium |
| Changed in python-django (Ubuntu Hardy): | |
| importance: | Undecided → Medium |
| Jamie Strandboge (jdstrand) wrote : | #2 |
CVE-2011-0698 only affects Windows.
| Changed in python-django (Ubuntu Lucid): | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-django (Ubuntu Maverick): | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-django (Ubuntu Karmic): | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-django (Ubuntu Natty): | |
| status: | Confirmed → Triaged |
| Jamie Strandboge (jdstrand) wrote : | #3 |
Hardy's python-django is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
| Jamie Strandboge (jdstrand) wrote : | #4 |
After fixing the stable releases, I am going to look at Natty. If Debian unstable has 1.2.5 by then, I will perform a merge, otherwise I will update the existing natty package.
| Changed in python-django (Ubuntu Natty): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-django (Ubuntu Lucid): | |
| status: | In Progress → Fix Committed |
| Changed in python-django (Ubuntu Maverick): | |
| status: | In Progress → Fix Committed |
| Changed in python-django (Ubuntu Karmic): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package python-django - 1.2.3-1ubuntu0.
---------------
python-django (1.2.3-
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/
requests, regardless of apparent AJAX origin. This is technically
backwards
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/
security fix tests
- debian/
django/
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:04:19 -0600
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package python-django - 1.1.1-2ubuntu1.3
---------------
python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/
requests, regardless of apparent AJAX origin. This is technically
backwards
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/
django/
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package python-django - 1.1.1-1ubuntu1.2
---------------
python-django (1.1.1-1ubuntu1.2) karmic-security; urgency=low
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/
requests, regardless of apparent AJAX origin. This is technically
backwards
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/
django/
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:18:54 -0600
| Changed in python-django (Ubuntu Karmic): | |
| status: | Fix Committed → Fix Released |
| Changed in python-django (Ubuntu Lucid): | |
| status: | Fix Committed → Fix Released |
| Changed in python-django (Ubuntu Maverick): | |
| status: | Fix Committed → Fix Released |
| Changed in python-django (Ubuntu Natty): | |
| status: | Triaged → In Progress |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package python-django - 1.2.5-1ubuntu1
---------------
python-django (1.2.5-1ubuntu1) natty; urgency=low
* Merge from Debian for security fixes (LP: #719031). Remaining changes:
- debian/control: don't Build-Depends on locales-all, which doesn't exist
in natty
* Drop the following patches, now included upstream:
- debian/
- debian/
python-django (1.2.5-1) unstable; urgency=low
* New upstream release.
* Do not compress objects.inv used by Sphinx generated documentation.
Thanks to Michael Fladischer for the report. Closes: #608769
python-django (1.2.4-1) unstable; urgency=high
* New bugfix-only upstream release. It includes security fixes.
http://
* Drop patches merged upstream:
- debian/
- debian/
* Update 01_disable_
updated regressions tests.
* Update 03_manpage.diff and 04_hyphen-
the manual page.
python-django (1.2.3-2) unstable; urgency=low
* Team upload.
* Disable model tests that require an internet connection.
Closes: #601070
* Include python.mk conditionally as explained in its header.
Helps backports to Lenny which has no python.mk.
Closes: #601608
-- Jamie Strandboge <email address hidden> Thu, 17 Feb 2011 13:34:07 -0600
| Changed in python-django (Ubuntu Natty): | |
| status: | In Progress → Fix Released |
| Jamie Strandboge (jdstrand) wrote : | #9 |
Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
Please feel free to report any other bugs you may find.
| Changed in python-django (Ubuntu Hardy): | |
| status: | Confirmed → Won't Fix |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guillaume Pratte wrote:
> See this link: http://
> No CVE seems to have been assigned yet.
As reported to us (Django), the following IDs have been assigned:
CVE-2011-0696 -- CSRF
CVE-2011-0697 -- file field XSS
CVE-2011-0698 -- directory traversal
- --
James Bennett
<email address hidden>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAk1
MEIAmgJd846BOUn
=UtW5
-----END PGP SIGNATURE-----