Ubuntu
python-django package

  1. Bug #719031
  2. Comment #6

Comment 6 for bug 719031

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.3

---------------
python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: flaw in CSRF handling (LP: #719031)
    - debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all
      requests, regardless of apparent AJAX origin. This is technically
      backwards-incompatible, but the security risks have been judged to
      outweigh the compatibility concerns in this case. See the Django project
      notes for more information:
      http://www.djangoproject.com/weblog/2011/feb/08/security/
    - CVE-2011-0696
  * SECURITY UPDATE: potential XSS in file field rendering
    - debian/patches/11_CVE-2011-0697.diff: properly escape URL in
      django/contrib/admin/widgets.py
    - CVE-2011-0697
 -- Jamie Strandboge <email address hidden> Tue, 15 Feb 2011 17:11:08 -0600