* SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
- debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all
requests, regardless of apparent AJAX origin. This is technically
backwards-incompatible, but the security risks have been judged to
outweigh the compatibility concerns in this case. See the Django project
notes for more information: http://www.djangoproject.com/weblog/2011/feb/08/security/
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/patches/11_CVE-2011-0697.diff: properly escape URL in
django/contrib/admin/widgets.py
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600
This bug was fixed in the package python-django - 1.1.1-2ubuntu1.3
---------------
python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: flaw in CSRF handling (LP: #719031) patches/ 10_CVE- 2011-0696. diff: apply full CSRF validation to all -incompatible, but the security risks have been judged to www.djangoproje ct.com/ weblog/ 2011/feb/ 08/security/ patches/ 11_CVE- 2011-0697. diff: properly escape URL in contrib/ admin/widgets. py
- debian/
requests, regardless of apparent AJAX origin. This is technically
backwards
outweigh the compatibility concerns in this case. See the Django project
notes for more information:
http://
- CVE-2011-0696
* SECURITY UPDATE: potential XSS in file field rendering
- debian/
django/
- CVE-2011-0697
-- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600