Accepted python-django 1:1.10.7-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Apr 2017 17:53:30 +0200
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Built-For-Profiles: nocheck
Architecture: source
Version: 1:1.10.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 859515 859516
Changes:
python-django (1:1.10.7-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied
numeric redirect URLs.
.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
"on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs (e.g.
http:999999999) "safe" when they shouldn't be.
.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS
attack. (Closes: #859515)
.
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve().
.
A maliciously crafted URL to a Django site using the
django.views.static.serve() view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known,
useful functionality.
.
Note, however, that this view has always carried a warning that it is
not hardened for production use and should be used only as a development
aid. Thanks Phithon Gong for reporting this issue. (Closes: #859516)
Checksums-Sha1:
d406edb4c81726a0b444782d049eb21a771d2a6c 2776 python-django_1.10.7-1.dsc
5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz
c0fe41bec64979d747cce197aa1e55e3833b3eb1 25376 python-django_1.10.7-1.debian.tar.xz
11694d5548b43df4ff6ffad4b413fe1224bb1ff4 8723 python-django_1.10.7-1_amd64.buildinfo
Checksums-Sha256:
e16cb37402b30421fecc2241e51c148cdedb724312c5c669cd703078cce1bdb4 2776 python-django_1.10.7-1.dsc
593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz
a0c646be8d148c8dd00849b7cc712d06267e551f320da39d5e3f58aa3f549f04 25376 python-django_1.10.7-1.debian.tar.xz
81783deada27b44fde2a387e375a139c2c5f61a86d0535b1183a8aa281340354 8723 python-django_1.10.7-1_amd64.buildinfo
Files:
113fb9a8538eff5ce750b8775f8e9b15 2776 python optional python-django_1.10.7-1.dsc
693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz
46c5ed3063181c29f9f280097850bc4a 25376 python optional python-django_1.10.7-1.debian.tar.xz
9a0df9dc3e696e19514347411699da20 8723 python optional python-django_1.10.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljjwngACgkQHpU+J9Qx
Hlj62xAAtZS1+jZHdH8b+MAbJvxmwYMMkrhk/COwtHSHzbreOoiTUSr5hAKTRXlK
mvQPvnwjlhKqSY6513GMkHFwQk6HCnzZgPpQkqn+7sBW4hZIkKlPMOx+jT5AlyVX
o7qAUuTpzxQRZ++mo6BKglAtw9Iu8t8b6BnsW3jY7kTKmGYMIuQldumkfxLi1dyN
f6Vm1vVLp0caTz3I4x2W7UCLzFO5K5jnJHYjwfXJdBkjltifZuCUDvX8/6lPK67d
EvcuAqsCmH6MHPI91G9QDdycpyIBFND2o5EXntS1Ldx4w6/ucbtCuU8bUB4njT/v
thlz5RYgX3dKkPRaaWZ3d4H3ynD+KuUMtVgQYhT6pc79q6G7dUHEzzSpvkCqmnw0
jkUCycY8+7RIu0n/393EsxEdNCZwVCpQAZOGKuatKP8qshCi1QXkmBXIJxE+SyY4
mEbtmmSKUG+8FHDrtJJtkT95yixfEp9DPqPHKR6wuLkWWxux2vZ5q1POLf7g4VhJ
1icuh9YTrOeMPEN+v6TRSg4nc82hJb6tDNFKzP1ArxpUeQVb4fsMIQ+foEQsVgjb
p031KMDi2e7LdYNPW8SICyu9c+PE/U6PcuaQl78V+sR15tdpwuaFgfthhbJe8PIa
os7qiuQrsSNw6dnbVx0jKGTpIzI7jECU3XvygphS8FebwgnvhpM=
=Tv/P
-----END PGP SIGNATURE-----